Articles in this section

See more

Let's Encrypt fails to update certificates, or add aliases to SAN: file_put_contents(): Filename cannot be empty

Avatar
Alexandr Bashurov
Updated
Follow

Applicable to:

  • Plesk Onyx for Linux

Symptoms

  • Debian, or Ubuntu is used on the server

  • Let's Encrypt keep-secured task logs the following error to the /var/log/plesk/panel.log:

    CONFIG_TEXT: ERR [1] PHP Warning: file_put_contents(): Filename cannot be empty; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 44

    ERR [1] PHP Warning: unlink(): No such file or directory; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 55

  • Aliases are not present in the resulting certificate, or the certificate is not updated:

    # echo 'Q' | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep -E 'DNS:|Not After'
    Not After : Jan 1 13:37:00 2018 GMT
    DNS:example.com

  • pam_tmpdir.so PAM module is enabled on the server:

    # grep -r pam_tmpdir.so /etc/pam.d/
    /etc/pam.d/common-session:session optional pam_tmpdir.so
    /etc/pam.d/common-session-noninteractive:session optional pam_tmpdir.so

  • If Plesk debug logging is enabled, the following stack trace is returned:

    CONFIG_TEXT: [extension/letsencrypt] Issue certificate for domains: example.com, www.example.com, alias.example.com, www.alias.example.com
    <...>
    PHP Warning: file_put_contents(): Filename cannot be empty; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 44

    Exception: PHP Warning: file_put_contents(): Filename cannot be empty; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 44

    file: /opt/psa/admin/plib/Smb/Exception/Syntax.php
    line: 56
    code: 0
    trace: #0 (0): Smb_Exception_Syntax::handleError(integer '2', string 'file_put_contents(): Filename cannot be empty', string '/opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php', integer '44', array)
    #1 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php(44): file_put_contents(string '', string '[ req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req

    [ req_distinguished_name ]

    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @san

    [ san ]
    DNS.1 = example.com
    DNS.2 = www.example.com
    DNS.3 = alias.example.com
    DNS.4 = www.alias.example.com
    ')
    #2 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/V1/CertificateFactory.php(42): PleskExt\Letsencrypt\Acme\Certificate->createRequest(resource, string 'example.com', array, array)
    #3 /opt/psa/admin/plib/modules/letsencrypt/library/AbstractAcmeCertOrderContext.php(131): PleskExt\Letsencrypt\Acme\V1\CertificateFactory->getCertificate(string 'example.com', array)
    #4 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(309): PleskExt\Letsencrypt\AbstractAcmeCertOrderContext->issueCertificate(string 'example.com', array, object of type PleskExt\Letsencrypt\CertificateIssuance\IssueCertOutput)
    #5 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(476): PleskExt\Letsencrypt\Acme->provideCertificate(array, object of type PleskExt\Letsencrypt\AcmeV1CertOrderContext, object of type PleskExt\Letsencrypt\ChallengeFailed\SkipChallengeFailedStrategy, object of type PleskExt\Letsencrypt\CertificateIssuance\CertSubjectsValidatorRequireAll)
    #6 /opt/psa/admin/plib/modules/letsencrypt/library/SecureDomain/SecureDomainService.php(249): PleskExt\Letsencrypt\Acme->secureDomainAutomatically(string 'user@example.com', object of type PleskExt\Letsencrypt\Bridge\Domain, array, object of type PleskExt\Letsencrypt\CertificateIssuance\CertSubjectsValidatorRequireAll, boolean true, boolean false, booleanfalse, boolean false)
    #7 /opt/psa/admin/plib/modules/letsencrypt/library/SecureDomain/SecureDomainService.php(65): PleskExt\Letsencrypt\SecureDomain\SecureDomainService->keepDomainSecured(object of type PleskExt\Letsencrypt\Bridge\Domain, object of type PleskExt\Letsencrypt\SecureDomain\CertificateValidator, object of type PleskExt\Letsencrypt\Bridge\CertificateManipulator, object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
    #8 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(172): PleskExt\Letsencrypt\SecureDomain\SecureDomainService->keepDomainsSecured(object of type PleskExt\Letsencrypt\SecureDomain\CertificateValidator, object of type PleskExt\Letsencrypt\Bridge\CertificateManipulator, object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
    #9 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(100): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepDomainsSecured(object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
    #10 /opt/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php(19): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepAllSecured()

Cause

Let's Encrypt extension bug with ID #EXTLETSENC-611.

Resolution

As a workaround, pam_tmpdir.so module should be disabled:

  1. Connect to the server via SSH

  2. Delete the package providing this module:

    # apt purge libpam-tmpdir

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles