Applicable to:
- Plesk Onyx for Linux
Symptoms
-
Nginx is enabled and is used as web proxy in combination with Apache:
# /usr/local/psa/admin/bin/nginxmng -s
Enabled -
Nginx service cannot start. Error in
/var/log/messages(for RedHat, CentOS, CloudLinux) or in/var/log/syslog(for Ubuntu, Debian):CONFIG_TEXT: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/certXXXXXXX") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/certXXXXXXX','r') error:2006D080:BIO routines:BIO_new_file:no such file)
-
Similar error is shown in Plesk GUI:
PLESK_ERROR: New configuration files for the Apache web server were not created due to the errors in configuration templates: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/certXXXXXXX") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/certXXXXXXX','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed.
or
PLESK_ERROR: New configuration files for the Apache web server were not created due to the errors in configuration templates: nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/psa/var/certificates/XXXXXXX") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE) nginx: configuration file /etc/nginx/nginx.conf test failed.
-
Certificate file reported in the error is missing from the directory
/opt/psa/var/certificates/:# ls -la /opt/psa/var/certificates/ | grep certXXXXXXX
(empty output) -
Apache service is up and running, it may be listening on ports 7080/7081 or 80/443:
# netstat -tlpn | grep -E ":7080|:7081|:80|:443" | grep -E "apache|httpd"
tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 692/apache2
tcp 0 0 0.0.0.0:7081 0.0.0.0:* LISTEN 692/apache2 -
Website is not accessible:
CONFIG_TEXT: Unable to connect
Can't establish a connection to the server at example.com -
Domain example.com may not exist in Plesk:
# plesk bin domain -l | grep example.com
-
Some websites hosted in Plesk may show the Plesk default page, web-server page or webmail login page.
Cause
SSL certificate changes are not applied to nginx configuration files.
Resolution
- Log in to Plesk
- Open Extensions > My Extensions > Webserver Configurations Troubleshooter > Open
- Click the arrow near search bar, filter the configuration files by status "Error" and click Search:
- Select the configuration files for non-existing domain and click Remove:
- Re-create web configuration files server-wide by clicking Rebuild button and select All:
-
Log in to Plesk server via SSH as root user.
-
Disable nginx service to temporarily switch all websites to Apache and remove the impact:
# /usr/local/psa/admin/bin/nginxmng -d
-
Search for all configuration files loading configuration file mentioned in the error message:
# grep -R certXXXXXXX /etc/nginx/
/etc/nginx/plesk.conf.d/vhosts/example.com.conf: ssl_certificate /usr/local/psa/var/certificates/certXXXXXXX;
/etc/nginx/plesk.conf.d/webmails/webmail.example.com.conf: ssl_certificate /usr/local/psa/var/certificates/certXXXXXXX; -
Move all soft links to broken configuration files from the directories
/etc/nginx/plesk.conf.d/vhostsand/etc/nginx/plesk.conf.d/webmails:# mv /etc/nginx/plesk.conf.d/vhosts/example.com.conf /
# mv /etc/nginx/plesk.conf.d/webmails/webmail.example.com.conf / -
Check if any other misconfigurations remained:
# nginx -t
If there are more orphaned files remained, repeat the 3rd step, but with the new certificate name which appears in the error.
-
Once the nginx configuration test is successful, rebuild web server configuration:
# plesk bin repair --reconfigure-ssl-certificates
# plesk repair web -y -
Enable nginx:
Warning: To avoid errors on Debian systems, replace "NGINX_ENABLED=no" with NGINX_ENABLED=yes in /etc/default/nginx
# /usr/local/psa/admin/bin/nginxmng -e
Comments
6 comments
Hi, unfortunately step 5 results in the following error:
"ERR [panel] Apache config (15259610120.62015100) generation failed: Template_Exception: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-Yfl6ly") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-Yfl6ly','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-Yfl6ly") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-Yfl6ly','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed"
What can I do now to start nginx and fix my webconfig files?
@Liv, to resolve the issue with Apache certificates missing, use this link.
After that reapply steps from the following article.
@Ivan, sorry completely missed your answer. It's Saturday so figured give it another try ;)
I'm really stuck though. Let me replicate what I've done.
So first I went the article and did step 2: ls -l /usr/local/psa/var/certificates/
I get a list of certificates, the one from my error is not in the list.
Then I did this: cp -rf /usr/local/opt/psa/var/certificates/cert-Ybzgms /usr/local/opt/psa/var/certificates/cert-Yfl6ly
(the first certificate is just one the ones I see listed, the second is the certificate from my error)
My certificates look like this in the list: -r-------- 1 root root 5155 Sep 15 14:37 cert-Ybzgms
But I get this error: cp: cannot stat ‘/usr/local/opt/psa/var/certificates/cert-YCGwrP’: No such file or directory
So basically whatever I do, it says there is not file or directory. I still can't start nginx and when I go in Plesk to my webserver configuration files I see an error for the nginxWebmail.php file for all domains.
So, I guessed something is wrong with the permissions then so I tried doing things I don't really understand like: mkdir /usr/local/psa/var/certificates/cert-Yfl6ly
which creates a certificate file but ofc not correct, it looks like this: drwxr-xr-x 2 root root 6 Sep 15 14:30 cert-Yfl6ly
Thats weird, so tried to change the permission to what I saw in the article you mentioned to -rw-r--r-- with this: chmod 644 /usr/local/opt/psa/var/certificates/cert-Yfl6ly, this results in this error: chmod: cannot access '/usr/local/opt/psa/var/certificates/': No such file or directory
So I'm stuck super stuck, now I have this certificate file that's wrong and I keep getting the no file or directory error for everything. Could you please help me out finding out what to do next?
@Liv
> But I get this error: cp: cannot stat ‘/usr/local/opt/psa/var/certificates/cert-YCGwrP’: No such file or directory
This means that one more certificate is missing, it also needs to be recreated from existing certificate.
> I don't really understand like: mkdir /usr/local/psa/var/certificates/cert-Yfl6ly
This command creates a directory, it should not be used here.
> in Plesk to my webserver configuration files I see an error for the nginxWebmail.php file for all domains.
What is the full error message shown?
> Thats weird, so tried to change the permission to what I saw in the article you mentioned to -rw-r--r-- with this: chmod 644 /usr/local/opt/psa/var/certificates/cert-Yfl6ly
The incorrect path is specified in the command, use /usr/local/psa/var/certificates/cert-Yfl6ly
As the issue is quite critical I would suggest contacting support:
https://support.plesk.com/hc/en-us/articles/213409109-How-to-get-technical-support-for-Plesk-
I see the path wasn't correct, thanks for that. I've done this now:
cp -rf /usr/local/psa/var/certificates/cert-xVo1wS /usr/local/psa/var/certificates/cert-Yfl6ly
and it doesnt give any error so that's good. But when I do this:
ls -l /opt/psa/var/certificates/
The certificate doesnt show in the list still. Should it show?
Then when I try to start nginx ( it gives this error now:
[2018-09-16 17:42:23.369] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/nginx-config' '-t'] with exit code [1]
[2018-09-16 17:42:27.723] ERR [util_exec] proc_close() failed ['/usr/local/psa/admin/bin/nginx-config' '-t'] with exit code [1]
[2018-09-16 17:42:28.048] ERR [panel] Apache config (15371125330.88167200) generation failed: Template_Exception: nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/psa/var/certificates/cert-Yfl6ly") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/psa/var/certificates/cert-Yfl6ly") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
It seems the error changed but it still doesnt work.. Any ideas?
Hi @Liv,
This error means that certificate is missing some parts inside it.
I suggest doing the following:
1. List all certificates with ls -lh, so you can see the size of the files:
# ls -lh /usr/local/psa/var/certificates/
2. Select the cert with the biggest size or the size that is close to it. The bigger the size -- the bigger are the chances that it contains all the proper parts. Use this cert in cp -rf again:
# cp -rf /usr/local/psa/var/certificates/cert-new_obe /usr/local/psa/var/certificates/cert-Yfl6ly
This should resolve this new issue.
Please sign in to leave a comment.