Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I'm running BOA-2.0.9.
When I verify a ssl site the ip written in the vhost nginx conf is the same for all my sites, even though it looks like the configuration is correct.
o2@aegir:~/.drush/provision/Provision$ drush sa @my.site
$aliases['my.site'] = array (
'context_type' => 'site',
'platform' => '@platform_odense7226',
'server' => '@server_master',
'db_server' => '@server_localhost',
...SNIP...
'ssl_enabled' => '1',
'ssl_key' => 'my.site',
'ip_address' => '10.0.0.6',
'loaded-config' => true,
);
And in the database I have checked the foreign key relations:
SELECT n.title, i.ip_address, c.ssl_key FROM `hosting_ssl_cert_ips` hi inner join hosting_ssl_cert c on c.cid = hi.cid inner join hosting_ip_addresses i on hi.ip_address = i.id inner join node n on n.nid = i.nid
aegir 10.0.0.6 my.site
Interestingly, I actually had to change a column index on hosting_ip_addresses.nid from unique to non_unique in order to assign more than one ip to my server.
Even though I could not find anything in the code that might have set a unique constraint on that column.
Comments
Comment #1
RunePhilosof CreditAttribution: RunePhilosof commentedComment #2
RunePhilosof CreditAttribution: RunePhilosof commentedComment #3
omega8cc CreditAttribution: omega8cc commentedIP addresses are no longer associated with sites as it was in Aegir 1.0 - see #1126640: move the SSL IP allocation to the frontend. Also, there is nothing BOA specific here. This how it works in the Aegir 2.x. If you believe that there is some bug here, please submit it in the upstream (Aegir) queue.
Note that you can also test Aegir 2.x vanilla (instead of BOA Aegir fork) with proper install or upgrade arguments, as explained in the docs/INSTALL.txt and docs/UPGRADE.txt
Finally, Aegir built-in SSL feature is not officially supported and not recommended in BOA (yet), as explained in the docs/SSL.txt
Comment #4
RunePhilosof CreditAttribution: RunePhilosof commentedI see, my sql should have look like
However, it is still the same result.
The site is connected to a certificate that has an ip but another ip is written to the nginx vhost config.
But that is of course irrelevant when you say that aegirs builtin ssl handling isn't supported in a barracuda setup.
I had read the docs/SSL.txt and decided not to use it because I didn't like adding another layer of proxying.
I read the SSL.txt as a suggestion for a quick and simple solution if I didn't want to use the aegir builtin way of doing it.
I didn't realize that you recommended not using aegir's.
Could you explain why aegir's builtin ssl handling isn't recommended?
Comment #5
RunePhilosof CreditAttribution: RunePhilosof commentedI can see you have just committed a fix from ergonlogic to my exact problem:
https://github.com/omega8cc/provision/commit/449a5abe8ed23f772d50f37f34d...
I will test it out.
Comment #6
RunePhilosof CreditAttribution: RunePhilosof commentedNopes. That didn't fix it.
I have debugged it and found that the ip_address should be set in class Provision_Service_http_ssl
either in the function config_data() or in get_certificates().
Comment #7
RunePhilosof CreditAttribution: RunePhilosof commentedWhoops. Apparently I didn't patch it properly, since that is the exact spot that the commit fixed.
Comment #8
omega8cc CreditAttribution: omega8cc commentedYep. As you can see, this feature, even after complete rewrite, is still seriously buggy.
Also, we don't use it for yet another, unrelated reason - we don't do SSL termination on the same systems - it is often on a different machine, so the built-in SSL feature is not something we could test and use in production. We are happy to support it in BOA officially, once it is stable enough.
Comment #9.0
(not verified) CreditAttribution: commentedDouble text removed