Alex

Alex

Planned

So today my server and all it's domains stopped working because the nginx config was invalid... took a few hours but I figured out what happened:

  • Added a (self-signed) existing certificate to the site
  • Added another (self-signed) existing certificate to the site (with the intend of replacing the old one)
  • Removing the old certificate

Result: Broken nginx config and server state since the SSL files are removed from the server but the nginx configuration still includes them.

Note: I did these steps a few weeks ago, only broke now because I had to restart nginx for package updates.

After debugging I found this is because the SSL config is created as /etc/nginx/ssl/<sitename> and corresponding /etc/nginx/ssl/certificates/<sitename>.{crt,key}. When multiple certificates are named the same (the user has no control over this name) Ploi simply overwrites existing files. When then removing one of the certificates from Ploi the files are simply deleted, but since Ploi still has a certificate listed the SSL config stays trying to include the deleted /etc/nginx/ssl/<sitename> causing the nginx config to be in a broken state. Can only be recovered by re-creating a self-signed cert or removing all certificates from Ploi.

The choice to use <sitename> for the filenames seems like a poor choice in this scenario since multiple certificates can have the same filename causing conflicts and an unexpected state on the server.

Please note that the self-signed certs do not list the <sitename> in them (I explicitly tested this) to see if I had any control over the physical filenames but it seems like self-signed certs (possibly others) have a harcoded filename.

This is obviously not very good, hope it can be fixed since Ploi did not stop me from doing this action it seems like this sequence of actions should be supported! :)

Dennis

Dennis

·
·

An easy fix for this would be to just include an ID from our end to the filename, right?

no votes yet
Alex

Alex

Item author
·
·

Yeah that would work great. Maybe that also allows us to add multiple certificates and select which one is active?

Not sure what currently happens if you add multiple certificates for a site?

no votes yet
You may use @ to mention someone.

Bug: Adding multiple self-signed certificates overwrites previous and removing it produces invalid nginx configuration

3 total votes
Stanley SMIT. Alex
  • Dennis moved item to board Planned

    2 years ago
  • Alex moved item to project Panel Requests

    2 years ago
  • Alex created the item

    2 years ago