Learn about Centmin Mod LEMP Stack today
Register Now

Wordpress nginx error with letsencrypt

Discussion in 'Blogs & CMS usage' started by aaran p, Dec 2, 2016.

  1. aaran p

    aaran p New Member

    20
    8
    3
    Nov 24, 2016
    Ratings:
    +8
    Local Time:
    11:10 AM
    Hi,

    So i used option 22 and the issued a staging ssl via lets encrypt, all went well, i then used the acmetool.sh to reissue a live ssl and now nginx refuses to start here is the error log i get.

    Code:
    Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                               [FAILED]
    [root@server-ks01 addons]# systemctl status nginx.service -l
    ‚óŹ nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
       Loaded: loaded (/etc/rc.d/init.d/nginx)
       Active: failed (Result: exit-code) since Fri 2016-12-02 02:22:50 UTC; 2min 36s ago
         Docs: man:systemd-sysv-generator(8)
      Process: 1110 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
      Process: 1077 ExecReload=/etc/rc.d/init.d/nginx reload (code=exited, status=1/FAILURE)
      Process: 1119 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
     Main PID: 30647 (code=exited, status=0/SUCCESS)
    
    Dec 02 02:22:50 server-ks01.aprepair.co.uk systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    Dec 02 02:22:50 server-ks01.aprepair.co.uk nginx[1119]: Starting nginx: nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    Dec 02 02:22:50 server-ks01.aprepair.co.uk nginx[1119]: [FAILED]
    Dec 02 02:22:50 server-ks01.aprepair.co.uk systemd[1]: nginx.service: control process exited, code=exited status=1
    Dec 02 02:22:50 server-ks01.aprepair.co.uk systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    Dec 02 02:22:50 server-ks01.aprepair.co.uk systemd[1]: Unit nginx.service entered failed state.
    Dec 02 02:22:50 server-ks01.aprepair.co.uk systemd[1]: nginx.service failed.
    
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    what's output of
    Code (Text):
    nginx -t


    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    looks like it fell back to self-signed ssl as letsencrypt failed to verifiy domain for some reason. Above asked info will help.
     
  3. aaran p

    aaran p New Member

    20
    8
    3
    Nov 24, 2016
    Ratings:
    +8
    Local Time:
    11:10 AM
    results of nginx-t

    Code:
    nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
    There is no piohost.co.uk.conf

    contents of piohost.co.uk.ssl.conf
    Code:
    
    #x# HTTPS-DEFAULT
     server {
       
       server_name piohost.co.uk www.piohost.co.uk;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name piohost.co.uk www.piohost.co.uk;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/piohost.co.uk/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt;  
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/piohost.co.uk/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/piohost.co.uk/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/piohost.co.uk/autoprotect-piohost.co.uk.conf;
      root /home/nginx/domains/piohost.co.uk/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/piohost.co.uk/wpcacheenabler_piohost.co.uk.conf;
      #include /usr/local/nginx/conf/wpincludes/piohost.co.uk/wpsupercache_piohost.co.uk.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/piohost.co.uk/rediscache_piohost.co.uk.conf;  
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
     
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;  
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args; 
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/piohost.co.uk/htpasswd_wplogin;    
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/piohost.co.uk/wpsecure_piohost.co.uk.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    The install install was done via option 22

    then i used letsencrypt option
    2. issue staging test cert with HTTPS default

    the when i reissued the live cert i did

    acmetool.sh reissue piohost.co.uk live
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
  5. aaran p

    aaran p New Member

    20
    8
    3
    Nov 24, 2016
    Ratings:
    +8
    Local Time:
    11:10 AM
    Another error and nginx wont start i updated to new branch and ran the command as you said but i get the following still

    Code:
    Dec 02 11:50:58 server-ks01.aprepair.co.uk systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    Dec 02 11:50:58 server-ks01.aprepair.co.uk nginx[21847]: Starting nginx: nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/ssl/piohost.co.uk/piohost.co.uk-trusted.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
    Dec 02 11:50:58 server-ks01.aprepair.co.uk nginx[21847]: [FAILED]
    Dec 02 11:50:58 server-ks01.aprepair.co.uk systemd[1]: nginx.service: control process exited, code=exited status=1
    Dec 02 11:50:58 server-ks01.aprepair.co.uk systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    Dec 02 11:50:58 server-ks01.aprepair.co.uk systemd[1]: Unit nginx.service entered failed state.
    Dec 02 11:50:58 server-ks01.aprepair.co.uk systemd[1]: nginx.service failed.
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    contents of piohost.co.uk.ssl.conf ?
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    also

    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'