Due to the way nginx configuration works, any failure in certificate generation can lead to massive breakage as nginx refuses to reload configuration globally if there are any missing certificate files.

So, the configuration generation must be careful to ensure certificates are in place BEFORE uploading ssl enabled vhost configuration.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

bdragon created an issue. See original summary.

bdragon’s picture

Status: Active » Needs work
FileSize
3.88 KB

Here's a first stab at this. Will test it shortly to see if it works as intended.

bdragon’s picture

Fix typo.

bdragon’s picture

Status: Needs work » Needs review

OK, after fixing that typo, I was unable to break it again.

bdragon’s picture

FileSize
3.91 KB

Forgot to convert the return value to a status check.

ergonlogic’s picture

We found ourselves in this situation after running a remote_import, but prior to DNS being cut-over. So the LE script was triggering a challenge against the old IP, failing, then generating vhosts pointing to non-existent certs.

We had to manually edit the vhosts to comment-out the SSL lines, so that NGINX would reload.

colan’s picture

Status: Needs review » Reviewed & tested by the community

Code looks good to me, and applied to one of my Dev servers without any problems. Will report back if anything strange comes up.

  • helmo committed faa5b02 on 7.x-3.x authored by bdragon
    Issue #2955062 by bdragon: Do not let nginx configuration reference...
helmo’s picture

Status: Reviewed & tested by the community » Fixed

committed, thanks.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Jon Pugh’s picture

I really wish this logic was applied to Apache at this time.

I did a lot of work on the apache side of this only just recently, caused a major regression in LetsEncrypt, despite being marked as RTBC. I wasn't even aware of this issue until just now, after debugging #3020747: Don't add SSL config to configuration files if the crt files aren't there/aren't readable. (especially redirects).

Please make sure to apply changes like this to both NGINX and Apache templates, and please don't forget Hosting SSL is still present, so it should receive these enhancements too.

Jon Pugh’s picture