Posts by axl

axl · Oct 5th 2021

Quote from vege.net

we had the same problems, here is a hot fix which worked for us:

Code

cd /usr/share/ca-certificates/mozilla/

wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

mv lets-encrypt-r3.pem lets-encrypt-r3.crt

dpkg-reconfigure ca-certificates # -->> add new letsencrypt Cert

vi /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm +134 #comment out line 134

my $cmd = [

'openssl', 'verify',

# ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),

'-purpose', 'sslserver', $self->{'certificate_container_path'}

];

Display More

what it does:

- adding new letsencrypt CA cert to /etc/ssl/certs

- removing "-CAfile fullchain1.pem" from openssl command (its not necessary anymore because openssl knows it now)

Regards, Joern

ps: Debian 9 / i-MSCP 1.5.3 Build: 2018120800uild: 2018120800

Display More

A good solution for fixing Let's Encrypt, but...

Quote from fulltilt

everything seems to work with the letsencrypt patch, but I discovered a problem when installing a purchased certificate ...

To install a paid certificate line 134 needs to be reactivated in OpenSSL.pm (afterwards deactivate again).

... it had issues with paid certificates.

I continued the work on Joern's approach. As per his instructions, start with:

Code

cd /usr/share/ca-certificates/mozilla/
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
mv lets-encrypt-r3.pem lets-encrypt-r3.crt
dpkg-reconfigure ca-certificates # -->> add new letsencrypt Cert

The next step is to edit /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm with editor of your choice. As Joern instructed, start by commenting out the line at 135. However, to allow paid certificates with CA bundle continue to work, if the initial verify command fails, then we need to try to run it with the CAfile parameter. This is done by adding the code below after line 140 debug( $stdout ) if $stdout;:

Code

# If an error state was returned, run again with CA bundle (support for paid certs)
if ( $rs && ( $self->{'ca_bundle_container_path'} ne '' ) ) {
$cmd = [
'openssl', 'verify',
( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),
'-purpose', 'sslserver', $self->{'certificate_container_path'}
];
$rs = execute( $cmd, \ $stdout, \ $stderr );
debug( $stdout ) if $stdout;
}

Display More

Full code from line 132 (old) to 157 (new) with a few comments for clarity:

Code

# COMMENTED OUT LINE 135
my $cmd = [
'openssl', 'verify',
# ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),
'-purpose', 'sslserver', $self->{'certificate_container_path'}
];
my $rs = execute( $cmd, \ my $stdout, \ my $stderr );
debug( $stdout ) if $stdout;
# ADDED: If an error state was returned, run again with CA bundle (support for paid certs)
if ( $rs && ( $self->{'ca_bundle_container_path'} ne '' ) ) {
$cmd = [
'openssl', 'verify',
( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),
'-purpose', 'sslserver', $self->{'certificate_container_path'}
];
$rs = execute( $cmd, \ $stdout, \ $stderr );
debug( $stdout ) if $stdout;
}
# STOP EDITS HERE
error( sprintf(
"SSL certificate is not valid: %s",
( $stderr || $stdout || 'Unknown error' ) =~ s/$self->{'certificate_container_path'}:\s+//r
)) if $rs;

Display More

Disclaimer: use at your own risk.

axl · Jun 28th 2020

Quote from freedom

Problem B - exists since 5.0.3 and still in 5.0.5:

When switching a site back to the default phpversion or when creating a new customer with default phpversion, the same problem from above now hits all pages wich are using the default php version. The command perl /var/www/imscp/engine/imscp-rqst-mngr -v is not able to fix this problem, but with a fast reconfiguration perl /var/www/imscp/engine/setup/imscp-reconfigure -danv this problem gets hotfixed aswell in the meantime. But it seems like there is still another problem hidden in the phpswitcher.

Spent some time trying to work on this, and found a probable cause and a fix for it. I could not cause the default PHP version pool configurations to be deleted on a domain creation or deletion. However, there is a bug related to the php_compiler.pl, which causes all the pool configurations to be wiped for the default PHP version.

The issue

When using the compiler, all the PHP versions processed get changed to either toadd or tochange state. Then, run-method on backend/PhpSwitcher.pm will run _deconfigureFpm for all the affected PHP versions.

On the very last line of _deconfigureFpm, there is a function call:

unlink grep !/www\.conf$/, glob "$phpVersion->{'version_fpm_pool_directory_path'}/*.conf"; This will delete all the pool configs besides the www.conf. This is fine for PHP versions other than default. run will then call _scheduleDomainsChange, which will change the status of domains, subdomains, aliasses and subdomain aliasses to tochange if they have a non-default PHP-version. When the backend tasks are run, the pool configurations get recreated for these.

So, in summary, all PHP versions will have their pool configurations deleted, but only the ones with non-default PHP-version gets recreated. Because the default PHP service is not reloaded, the issue will not be visible until someone adds a domain or changes back to default PHP version.

The solution

The fix seems to be quite simple. You have to edit backend/PhpSwitcher.pm and change the end (should be line 1787) of _deconfigureFpm from

Code

unlink grep !/www\.conf$/, glob "$phpVersion->{'version_fpm_pool_directory_path'}/*.conf";

to

Code

# Prevent default PHP file configurations from being destroyed
return if $phpVersion->{'version_is_default'};
unlink grep !/www\.conf$/, glob "$phpVersion->{'version_fpm_pool_directory_path'}/*.conf";

Disclaimer: use at your own risk.

Additional help

If you managed to end up in a state where all the pool configurations for default PHP versions are gone, there is a faster alternative to perl /var/www/imscp/engine/setup/imscp-reconfigure -danv. Basically, you need to change the state of domains, subdomains, aliasses and subdomain aliasses with default PHP version to tochange, and run the request manager with /var/www/imscp/engine/imscp-rqst-mngr or from admin via Debugger -> Run Tasks. To change all the states, you can run these SQL queries:

Code

-- Update domains with default PHP version
UPDATE
`domain`
SET
`domain_status` = 'tochange'
WHERE
`domain_id` NOT IN (
SELECT
`domain_id`
FROM
`php_switcher_version_admin`
WHERE
`domain_type` = 'dmn'
)
AND
`domain_status` NOT IN ('disabled', 'todelete')
;
-- Update subdomains with default PHP version
UPDATE
`subdomain`
SET
`subdomain_status` = 'tochange'
WHERE
`subdomain_id` NOT IN (
SELECT
`domain_id`
FROM
`php_switcher_version_admin`
WHERE
`domain_type` = 'sub'
)
AND
`subdomain_status` NOT IN ('disabled', 'todelete')
;
-- Update domain aliasses with default PHP version
UPDATE
`domain_aliasses`
SET
`alias_status` = 'tochange'
WHERE
`alias_id` NOT IN (
SELECT
`domain_id`
FROM
`php_switcher_version_admin`
WHERE
`domain_type` = 'als'
)
AND
`alias_status` NOT IN ('disabled', 'todelete')
;
-- Update subdomain aliasses with default PHP version
UPDATE
`subdomain_alias`
SET
`subdomain_alias_status` = 'tochange'
WHERE
`subdomain_alias_id` NOT IN (
SELECT
`domain_id`
FROM
`php_switcher_version_admin`
WHERE
`domain_type` = 'subals'
)
AND
`subdomain_alias_status` NOT IN ('disabled', 'todelete')
;

Display More

Disclaimer: use at your own risk.

Posts by axl

LetsEncrypt - SSL certificate is not valid

Phpswitcher 5.0.5 Bug - Default php pool config and sockets gets deleted when creating a new customer