After upgrade site does not load - SSL error?

I did the usual git pull and launcher rebuild app, and the site didn’t come back up. Firefox says “Corrupted Content Error” and Chrome says “This site cannot be reached” ERR_FAILED - I tried rebuilding again, but no change.

I did “launcher logs app” and saw a bunch of these errors:

nginx: [emerg] cannot load certificate "/shared/ssl/forum.e-liquid-recipes.com_ecc.cer": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/shared/ssl/forum.e-liquid-recipes.com_ecc.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Certificate was fine right before the upgrade. How do I fix this?

At the top it says:

run-parts: executing /etc/runit/1.d/letsencrypt
[Mon 09 Sep 2019 11:33:30 PM UTC] Domains not changed.
[Mon 09 Sep 2019 11:33:30 PM UTC] Skip, Next renewal time is: ESC[1;31;32mThu Oct 31 00:48:13 UTC 2019ESC[0m
[Mon 09 Sep 2019 11:33:30 PM UTC] Add 'ESC[1;31;40m--forceESC[0m' to force to renew.
[Mon 09 Sep 2019 11:33:30 PM UTC] Installing key to:/shared/ssl/forum.e-liquid-recipes.com.key
[Mon 09 Sep 2019 11:33:30 PM UTC] Installing full chain to:/shared/ssl/forum.e-liquid-recipes.com.cer
[Mon 09 Sep 2019 11:33:30 PM UTC] Run reload cmd: sv reload nginx
warning: nginx: unable to open supervise/ok: file does not exist
[Mon 09 Sep 2019 11:33:30 PM UTC] ESC[1;31;40mReload error for :ESC[0m
[Mon 09 Sep 2019 11:33:31 PM UTC] Domains not changed.
[Mon 09 Sep 2019 11:33:31 PM UTC] Skip, Next renewal time is: ESC[1;31;32mFri 08 Nov 2019 11:17:55 PM UTCESC[0m
[Mon 09 Sep 2019 11:33:31 PM UTC] Add 'ESC[1;31;40m--forceESC[0m' to force to renew.
[Mon 09 Sep 2019 11:33:31 PM UTC] Installing key to:/shared/ssl/forum.e-liquid-recipes.com.key
[Mon 09 Sep 2019 11:33:31 PM UTC] Installing full chain to:/shared/ssl/forum.e-liquid-recipes.com.cer
[Mon 09 Sep 2019 11:33:31 PM UTC] Run reload cmd: sv reload nginx
warning: nginx: unable to open supervise/ok: file does not exist
[Mon 09 Sep 2019 11:33:31 PM UTC] ESC[1;31;40mReload error for :ESC[0m
Started runsvdir, PID is 631
chgrp: invalid group: ‘syslog’
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.

Seems it tried to load /shared/ssl/forum.e-liquid-recipes.com_ecc.cer instead of /shared/ssl/forum.e-liquid-recipes.com.cer?

2 Likes

I managed to get the server up again, by modifying the nginx config:

./launcher enter app
cd /etc/nginx/conf.d
vim discourse.conf

then commenting out the SSL-lines that had _ecc in them:

ssl_certificate /shared/ssl/forum.e-liquid-recipes.com.cer;
#ssl_certificate /shared/ssl/forum.e-liquid-recipes.com_ecc.cer;

ssl_certificate_key /shared/ssl/forum.e-liquid-recipes.com.key;
#ssl_certificate_key /shared/ssl/forum.e-liquid-recipes.com_ecc.key;

Then exit and restart the app…

Ooops, my bad… I made a last-minute change and forgot to test it on a clean installation.
Fixed in Correctly install ECDSA certificate · discourse/discourse_docker@c6fc61f · GitHub

3 Likes

When I upgrade next, does it matter that I changed the nginx-config?

1 Like

No, it will be overwritten. Doing a git pull and ./launcher rebuild app will work.

3 Likes

I only do the git pull and ./launcher rebuild app when the webinterface refuses to update and tells me to do it by command line - should still work, right? :slight_smile:

1 Like

It will most likely work. If not, you know the solution. :wink:

2 Likes