Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Due to the way nginx configuration works, any failure in certificate generation can lead to massive breakage as nginx refuses to reload configuration globally if there are any missing certificate files.
So, the configuration generation must be careful to ensure certificates are in place BEFORE uploading ssl enabled vhost configuration.
Comment | File | Size | Author |
---|---|---|---|
#5 | 2955062-nginx-safe-cert-copying_3.patch | 3.91 KB | bdragon |
Comments
Comment #2
bdragon CreditAttribution: bdragon at Tag1 Consulting for Advisor Websites commentedHere's a first stab at this. Will test it shortly to see if it works as intended.
Comment #3
bdragon CreditAttribution: bdragon at Tag1 Consulting for Advisor Websites commentedFix typo.
Comment #4
bdragon CreditAttribution: bdragon at Tag1 Consulting for Advisor Websites commentedOK, after fixing that typo, I was unable to break it again.
Comment #5
bdragon CreditAttribution: bdragon at Tag1 Consulting for Advisor Websites commentedForgot to convert the return value to a status check.
Comment #6
ergonlogicWe found ourselves in this situation after running a remote_import, but prior to DNS being cut-over. So the LE script was triggering a challenge against the old IP, failing, then generating vhosts pointing to non-existent certs.
We had to manually edit the vhosts to comment-out the SSL lines, so that NGINX would reload.
Comment #7
colanCode looks good to me, and applied to one of my Dev servers without any problems. Will report back if anything strange comes up.
Comment #9
helmo CreditAttribution: helmo at Initfour websolutions for Aegir Cooperative commentedcommitted, thanks.
Comment #11
Jon PughI really wish this logic was applied to Apache at this time.
I did a lot of work on the apache side of this only just recently, caused a major regression in LetsEncrypt, despite being marked as RTBC. I wasn't even aware of this issue until just now, after debugging #3020747: Don't add SSL config to configuration files if the crt files aren't there/aren't readable. (especially redirects).
Please make sure to apply changes like this to both NGINX and Apache templates, and please don't forget Hosting SSL is still present, so it should receive these enhancements too.
Comment #12
Jon Pugh