I recently set up SSL certificates for a hosted site, in /data/disk/o1/config/ssl.d. I also created the file no-https-aegir.inc as my VPS only has one IP address and the auto-redirect was redirecting from o1 hostmaster to the SSL'ed site.

Following upgrade from BOA 2.0.7 to 2.0.9, nginx restart began failing with the error message:
nginx on server.mywebsite.co.uk could not be restarted. Changes might not be available until this has been done. (error: Reloading nginx configuration: nginx: [emerg] BIO_new_file("/data/disk/o1/config/server_master/ssl.d/mywebsite.co.uk/openssl.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/data/disk/o1/config/server_master/ssl.d/mywebsite.co.uk/openssl.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed)

Using cp -pr to copy the SSL certificates folder from /data/disk/o1/config/ssl.d to /data/disk/o1/config/server_master/ssl.d resolved this issue, and allowed nginx to restart. However, every time a platform is verified, migrated etc., the new folder and its contents are deleted, and nginx promptly fails to restart. I've tried chmod to remove delete permissions, but that produces another error of the kind:

rmdir(/data/disk/o1/config/server_master/ssl.d///mywebsite.co.uk): Directory not empty FileSystem.php:104
Deleting /data/disk/o1/config/server_master/ssl.d///mywebsite.co.uk directory failed.
rmdir(/data/disk/o1/config/server_master/ssl.d//): Directory not empty FileSystem.php:104
Deleting /data/disk/o1/config/server_master/ssl.d// directory failed.

Advice welcome!

octopus_log.txt:

Wed Feb  6 07:51:02 GMT 2013 / Debian.squeeze i686 / Aegir BOA-2.0.5 / Octopus BOA-2.0.5 / FPM 5.3 / CLI 5.3
Thu Apr  4 01:29:52 BST 2013 / Debian.squeeze i686 / Aegir BOA-2.0.6 / Octopus BOA-2.0.6 / FPM 5.3 / CLI 5.3
Fri Apr  5 15:33:36 BST 2013 / Debian.squeeze i686 / Aegir BOA-2.0.7 / Octopus BOA-2.0.7 / FPM 5.3 / CLI 5.3
Mon May 13 18:45:32 BST 2013 / Debian.squeeze i686 / Aegir BOA-2.0.8 / Octopus BOA-2.0.9 / FPM 5.3 / CLI 5.3
Mon May 13 19:18:47 BST 2013 / Debian.squeeze i686 / Aegir BOA-2.0.8 / Octopus BOA-2.0.9 / FPM 5.3 / CLI 5.3
Mon May 13 21:13:19 BST 2013 / Debian.squeeze i686 / Aegir BOA-2.0.8 / Octopus BOA-2.0.9 / FPM 5.3 / CLI 5.3

barracuda_log.txt:

Wed Feb  6 07:31:44 GMT 2013 / Debian.squeeze i686 XEN / Aegir BOA-2.0.5 / Barracuda BOA-2.0.5 / Nginx 1.3.9 / PHP 5.2.17 and 5.3.20 / MODERN-YES / FPM 5.3 / CLI 5.3 / MariaDB-5.5.29 localhost / Wildcard YES
Wed Feb 27 03:16:51 GMT 2013 / Debian.squeeze i686 XEN / Aegir BOA-2.0.5 / Barracuda BOA-2.0.5 / Nginx 1.3.9 / PHP 5.2.17 and 5.3.20 / MODERN-YES / FPM 5.3 / CLI 5.3 / MariaDB-5.5.29 localhost / Wildcard YES
Wed Mar 13 17:58:28 GMT 2013 / Debian.squeeze i686 XEN / Aegir BOA-2.0.5 / Barracuda BOA-2.0.5 / Nginx 1.3.9 / PHP 5.2.17 and 5.3.20 / MODERN-YES / FPM 5.3 / CLI 5.3 / MariaDB-5.5.30 localhost / Wildcard YES
Thu Apr  4 00:26:34 BST 2013 / Debian.squeeze i686 XEN / Aegir BOA-2.0.6 / Barracuda BOA-2.0.6 / Nginx 1.3.15 / PHP 5.2.17 and 5.3.23 / MODERN-YES / FPM 5.3 / CLI 5.3 / MariaDB-5.5.30 localhost / Wildcard YES
Fri Apr  5 14:05:27 BST 2013 / Debian.squeeze i686 XEN / Aegir BOA-2.0.7 / Barracuda BOA-2.0.7 / Nginx 1.3.15 / PHP 5.2.17 and 5.3.23 / MODERN-YES / FPM 5.3 / CLI 5.3 / MariaDB-5.5.30 localhost / Wildcard YES
Mon May 13 18:07:49 BST 2013 / Debian.squeeze i686 XEN / Aegir BOA-2.0.8 / Barracuda BOA-2.0.9 / Nginx 1.5.0 / PHP 5.2.17 and 5.3.25 / MODERN-YES / FPM 5.3 / CLI 5.3 / MariaDB-5.5.30 localhost / Wildcard YES

.USER.octopus.cnf

###
### Configuration created on 130206-0732 with
### Octopus version BOA-2.0.5
###
### NOTE: the group of settings displayed bellow
### will *override* all listed settings in the Octopus script.
###
_USER="o1"
_MY_EMAIL="dan@mywebsite.co.uk"
_PLATFORMS_LIST="ALL"
_ALLOW_UNSUPPORTED=NO
_AUTOPILOT=NO
_HM_ONLY=NO
_O_CONTRIB_UP=NO
_DEBUG_MODE=NO
_MY_OWNIP=
_FORCE_GIT_MIRROR=""
_THIS_DB_HOST=localhost
_DNS_SETUP_TEST=NO
_HOT_SAUCE=NO
_USE_CURRENT=YES
_REMOTE_CACHE_IP=127.0.0.1
_LOCAL_NETWORK_IP=
_PHP_FPM_VERSION=5.3
_PHP_CLI_VERSION=5.3
_USE_STOCK=NO
###
### NOTE: the group of settings displayed bellow will be *overriden*
### by config files stored in the /data/disk/o1/log/ directory,
### but only on upgrade.
###
_DOMAIN="o1.server.mywebsite.co.uk"
_CLIENT_EMAIL="dan@mywebsite.co.uk"
_CLIENT_OPTION="SSD"
_CLIENT_SUBSCR="Y"
_CLIENT_CORES="8"
###
### Configuration created on 130206-0732 with
### Octopus version BOA-2.0.5
###
_STRONG_PASSWORDS=NO

Comments

omega8cc’s picture

omega8cc commented

The built-in Aegir SSL feature was never recommended in BOA - see docs/SSL.txt

You don't need extra IP to be able to use BOA specific how-to - you just replace the standard BOA SSL proxy cert/key.

There is nothing BOA specific in the built-in Aegir SSL feature, so any issues with this feature (especially since it was rewritten in Aegir 2.x we use) should be reported in the Aegir queue.

omega8cc’s picture

omega8cc commented
Project: Octopus » Hostmaster (Aegir)
Version: » 6.x-2.x-dev
Component: Nginx Configuration » Code
Priority: Normal » Major

That said, we should move this report to the Aegir queue for inspection.

Aegir 2.x is still in alpha, but it is highly possible that you have experienced some serious bug introduced in the recent SSL support rewrite.

While BOA ships with Aegir 2.x (just minus Drush 5 support for a moment) and it recommends to avoid Aegir built-in SSL feature (at least until we consider it production ready), we should investigate the upgrade path from pre-rewrite code to make sure we don't break things horribly.

anarcat’s picture

anarcat commented

which version of aegir is that exactly?

omega8cc’s picture

omega8cc commented

Aegir BOA-2.0.8 is Aegir 6.x-2.x (head) as available on April 8th. While it is not a vanilla Aegir (it still uses Drush 4.6-dev), it comes with no changes to the entire SSL feature after recent rewrite, so it should be representative for Aegir 6.x-2.x debugging.

DanielJohnston’s picture

DanielJohnston commented

Yup, this is an ongoing issue. It's now somehow successfully deleted the ssl.d folder despite chmod protection, and I've had to recreate. Joy.

DanielJohnston’s picture

DanielJohnston commented

Quick note for omega8cc - would it be worth me putting up a separate documentation request in the Barracuda queue? Both I and an experienced developer read your SSL.txt before doing all of this and couldn't understand what you were talking about, which is why we ended up playing with the Aegir SSL setup. The server only has one IP address, and it's not at all clear what we should be doing in that situation.

omega8cc’s picture

omega8cc commented

I would recommend to keep BOA specific stuff separate in the Barracuda or Octopus queue, to avoid confusion, and concentrate on the Aegir built-in SSL feature here.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
commented
Status: Active » Fixed

I don't believe this was specific to Nginx. In Provision commits f0980e0..9b86038, we fixed a number of SSL bugs. Among them was the deletion of SSL dirs, and incorrect IP addresses being pulled into vhost config files. There was also an IP allocation issue in the front end, documented in: #2023621: Unable to allocate IP address for certificate, disabling SSL.

Please test against the latest 6.x-2.x, and re-open if the problems remain.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.