Unable to allocate IP address for certificate, disabling SSL.

I have that situation of "Unable to allocate IP address for certificate, disabling SSL. Allocate more IP addresses to this server then try to enable SSL again."

I try to allocate the same certificate to another site because this is a wildcard certificate (*.example.org). It should not ask me another IP.

This is on an AegirVPS 2.0~rc5.1

Internal reference number redmine # 12579.

$ dpkg -l |grep -i aegir
rc  aegir-hostmaster                 1.10+246.efcd0a3
rc  aegir-hostmaster2                2.0~rc4
rc  aegir-provision                  1.10+246.efcd0a3
rc  aegir-provision2                 2.0~rc4
ii  aegir2                           2.0~rc5.1
ii  aegir2-hostmaster                2.0~rc5.1
ii  aegir2-provision                 2.0~rc5.1

When I check the file "~/hostmaster-6.x-2.0-rc5.1/profiles/hostmaster/modules/hosting/server/hosting.ip.inc", at line 26 in function hosting_ip_save, I see "is_array" instead of "isset" as in the patch http://drupalcode.org/project/hosting.git/commit/ad2fd22 from ergonlogic.

$ips = is_array($node->ip_addresses) ? $node->ip_addresses : array();

I looked on my own aegir installation, same version hostmaster-6.x-2.0-rc5.1, and I also see "is_array" instead of "isset".

The commit ad2fd22 was done on 19 Jun 2013.
The version 6.x-2.0-rc5 was released on 2013-Oct-17.

Why is this commit not in the actual file hosting.ip.inc ?

I tried this without any good success on assigning the same certificate to two sites:

-  $ips = is_array($node->new_ip_addresses) ? $node->new_ip_addresses : array();
+  $ips = isset($node->new_ip_addresses) ? $node->new_ip_addresses : array();

This code was significantly refactored since ad2fd22, the whole SSL and IP allocation code was redone and merged into rc5. See, for example, #2085077: Invalid argument supplied for foreach() hosting.ip.inc:39 and #1968226: manage each IP individually on the server level.

I am not sure this issue is related to the original report by ergonlogic, so I wouldn't assume the fix is related to using is_array() or isset().

Furthermore, looking at the issue in our private tracker (redmine # 12579), I can see that both sites are working with SSL.

I conclude this is not a bug with Aegir and that the error is actually a proper error, as in the user trying to create a new certificate without any IP left.

If there's a bug, however, it may be that older certificates are not removed, see #2159265: SSL certificate not deleted for that.

We found a work around for resolving this issue when using the same SSL cert on multiple sites (wildcard)

Create a site with SSL enabled (make sure you have the receipts directory setup ahead of time), and generate new SSL certs. Replace the generated certs (openssl_chain.crt openssl.crt openssl.key) with the commercial certs renamed the same way, the chain is a important addition.

Find the cid reference in the hosting_ssl_certs table of the hostmaster database. Then in host_ssl_site just change the values associated with the nid of the site, typically the last site you created, and change the ssl_enabled value to 1 (enabled) or 2 (required) and change the ssl_key value to "3" to match the cid of the hosting_ssl_certs table.

Verify the site again, the UI will show the changes and after the site verifies you now have a site with the wildcard cert and no IP Error.

This holds up through platform migrations and since it is in the database it appears to hold between Aegir updates and if reflected in the UI properly. We create/disable the first site for the certs so that the reference is consistent.

Note: this is a work around, not a solution.

Is there any useful solution to this problem in the 6.x-2.x branch?
I'm using a wildcard certificate for multiple Sites on one Server with one IP address. Right now I'm living with the workaround mentioned in #7 by modifying the aegir database and enabling the certificates for the sites manually.

The solution withstands also a "verify" task by aegir but fails if any of the sites using the key is deleted or cloned. After that, all the sites show "(key deleted)" in site-overview and the certificate entry is removed from the hosting_ssl_certs table.

edit: after testing for quite some time now i also found the only suitable solution is to add more IPs (the same IP multiple times) to the server node. So far, it also works fine to add a huge amount of IPs (80 in my case) directly in the database table hosting_ip_addresses.

@crash98: I'm in the same boat. Just created: #2569987: Provide an option to disable SSL IP allocation check: "Unable to allocate IP address for certificate"