Applicable to:
- Plesk Onyx for Linux
Symptoms
-
Debian, or Ubuntu is used on the server
-
Let's Encrypt keep-secured task logs the following error to the
/var/log/plesk/panel.log
:CONFIG_TEXT: ERR [1] PHP Warning: file_put_contents(): Filename cannot be empty; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 44
ERR [1] PHP Warning: unlink(): No such file or directory; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 55 -
Aliases are not present in the resulting certificate, or the certificate is not updated:
# echo 'Q' | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep -E 'DNS:|Not After'
Not After : Jan 1 13:37:00 2018 GMT
DNS:example.com -
pam_tmpdir.so PAM module is enabled on the server:
# grep -r pam_tmpdir.so /etc/pam.d/
/etc/pam.d/common-session:session optional pam_tmpdir.so
/etc/pam.d/common-session-noninteractive:session optional pam_tmpdir.so -
If Plesk debug logging is enabled, the following stack trace is returned:
CONFIG_TEXT: [extension/letsencrypt] Issue certificate for domains: example.com, www.example.com, alias.example.com, www.alias.example.com
<...>
PHP Warning: file_put_contents(): Filename cannot be empty; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 44
Exception: PHP Warning: file_put_contents(): Filename cannot be empty; File: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php, Line: 44
file: /opt/psa/admin/plib/Smb/Exception/Syntax.php
line: 56
code: 0
trace: #0 (0): Smb_Exception_Syntax::handleError(integer '2', string 'file_put_contents(): Filename cannot be empty', string '/opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php', integer '44', array)
#1 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Certificate.php(44): file_put_contents(string '', string '[ req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @san
[ san ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = alias.example.com
DNS.4 = www.alias.example.com
')
#2 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/V1/CertificateFactory.php(42): PleskExt\Letsencrypt\Acme\Certificate->createRequest(resource, string 'example.com', array, array)
#3 /opt/psa/admin/plib/modules/letsencrypt/library/AbstractAcmeCertOrderContext.php(131): PleskExt\Letsencrypt\Acme\V1\CertificateFactory->getCertificate(string 'example.com', array)
#4 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(309): PleskExt\Letsencrypt\AbstractAcmeCertOrderContext->issueCertificate(string 'example.com', array, object of type PleskExt\Letsencrypt\CertificateIssuance\IssueCertOutput)
#5 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(476): PleskExt\Letsencrypt\Acme->provideCertificate(array, object of type PleskExt\Letsencrypt\AcmeV1CertOrderContext, object of type PleskExt\Letsencrypt\ChallengeFailed\SkipChallengeFailedStrategy, object of type PleskExt\Letsencrypt\CertificateIssuance\CertSubjectsValidatorRequireAll)
#6 /opt/psa/admin/plib/modules/letsencrypt/library/SecureDomain/SecureDomainService.php(249): PleskExt\Letsencrypt\Acme->secureDomainAutomatically(string 'user@example.com', object of type PleskExt\Letsencrypt\Bridge\Domain, array, object of type PleskExt\Letsencrypt\CertificateIssuance\CertSubjectsValidatorRequireAll, boolean true, boolean false, booleanfalse, boolean false)
#7 /opt/psa/admin/plib/modules/letsencrypt/library/SecureDomain/SecureDomainService.php(65): PleskExt\Letsencrypt\SecureDomain\SecureDomainService->keepDomainSecured(object of type PleskExt\Letsencrypt\Bridge\Domain, object of type PleskExt\Letsencrypt\SecureDomain\CertificateValidator, object of type PleskExt\Letsencrypt\Bridge\CertificateManipulator, object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#8 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(172): PleskExt\Letsencrypt\SecureDomain\SecureDomainService->keepDomainsSecured(object of type PleskExt\Letsencrypt\SecureDomain\CertificateValidator, object of type PleskExt\Letsencrypt\Bridge\CertificateManipulator, object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#9 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(100): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepDomainsSecured(object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#10 /opt/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php(19): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepAllSecured()
Cause
Let's Encrypt extension bug with ID #EXTLETSENC-611.
Resolution
As a workaround, pam_tmpdir.so module should be disabled:
-
Connect to the server via SSH
-
Delete the package providing this module:
# apt purge libpam-tmpdir
Comments
0 comments
Please sign in to leave a comment.