Page 1 of 1

nginx restart failed + Letsencrypt

Posted: Thu Dec 14, 2017 6:33 am
by Felix

I have an issue with nginx not starting when a domain certificate is updated.

The cron job to renew certificates run at 06:00 each day
When this happens and a certificate is updated, nginx fails to restart with the following error:

Code: Select all

 * Restarting nginx nginx
nginx: [emerg] unexpected "}" in /home/[USER]/conf/web/snginx.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
I have checked the conf in /home/[USER]/conf/web/snginx.conf and found that it starts like this:

Code: Select all


server {
    listen      [IP]:443;
    server_name TLD www.[TLD];
    ssl         on;
    [other lines below]
Pay attention the the } at the start of the file. This is causing the problem. After editing the file and removing this, nginx restarts fine.

Possible bug?
I think this could be caused by a bug in v-update-letsencrypt-ssl but I can't be sure. It can also be related to the one added line I place in conf files. I need to redirect https://TLD/email to a different server so I have added the following line inside the server block, below error_log:

Code: Select all

rewrite ^/email$ https://[TLD]:2096/ permanent;
So the server block config looks like this:

Code: Select all

server {
    listen      [IP]:443;
    server_name [TLD] www.[TLD];
    ssl         on;
    ssl_certificate      /home/[USER]/conf/web/ssl.[TLD].pem;
    ssl_certificate_key  /home/[USER]/conf/web/ssl.[TLD].key;
    error_log  /var/log/apache2/domains/[TLD].error.log error;

        rewrite ^/email$ https://[TLD]:2096/ permanent;

		location / {
        proxy_pass      https://[IP]:8443;
        location ~* ^.+\.(jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|rar|bz2|exe|pdf|doc|xls|ppt|txt|odt|ods|odp|odf|tar|bmp|rtf|js|mp3|avi|mpeg|flv|html|htm)$ {
            root           /home/[USER]/web/[TLD]/public_html;
            access_log     /var/log/apache2/domains/[TLD].log combined;
            access_log     /var/log/apache2/domains/[TLD].bytes bytes;
            expires        max;
            try_files      $uri @fallback;
Could it be that the addition of the rewrite ^/email$ https://[TLD]:2096/ permanent; is causing this issue?
Can this be resolved in a way compatible with this addition (or any other necessary addition to the conf)?

I understand that I can achieve the same (redirecting https://[TLD]/email) with .htaccess but I wouldn't like using it, because .htaccess files can be deleted/edited by users and thus break the redirection.

Re: nginx restart failed + Letsencrypt

Posted: Mon Feb 05, 2018 5:43 am
by Felix
50 days, no reply, nginx still crashing on production servers :(

I'd like to add some more info to this issue. Today, one of my domains renewed it's Let's Encrypt certificate and as a result nginx crashed. The problem was again the same: a curly bracket broke the syntax of /home/[USER]/conf/web/snginx.conf

What is more interesting is that /home/[USER]/conf/web/snginx.conf is now blank (apart from the curly bracket ofc) and I noticed that there exists a new file /home/[USER]/conf/web/[TLD].nginx.ssl.conf that holds the configuration data for ssl.

Even though now snginx.conf is blank, deleting the file causes problems to nginx (can't restart because nginx is looking for this file). This is because of /etc/nginx/conf.d/vesta.conf. There are include directives for both /home/[user]/conf/web/snginx.conf and /home/[user]/conf/web/[TLD].nginx.ssl.conf !! But WHY ?!

To sum this up
  • The bug is still alive and kicking. When Let's Encrypt updates certificates, nginx craches!
  • Something has changed in the way nginx uses it's config files
Web Template APACHE2: Hosting
Proxy Support NGINX: Hosting

Re: nginx restart failed + Letsencrypt

Posted: Wed Feb 07, 2018 12:59 am
by noogen
As you've seen it yourself, something has changed. The issue you're asking about is a known issue and it has been fixed partially. That is why you're seeing different file for nginx. Your system probably auto updated to Vesta 0.9.8-18

There is a known issue in the way Vesta parses config file for both NGINX and APACHE2. Vesta before v18 store all configs in the same file. The way Vesta does it by counting the number of lines the generated template and cut these lines from nginx or apache conf file. This is error prone. In v18, Vesta start to do this in separate file for NGINX:

The issue is that it still can't parse to remove the old config from the big (multi-domain/site) nginx conf file. Therefore, you may want to backup and then rebuild your user per the github instruction above. Of course this is still an issue with apache conf.

I've discussed this issue on github and requested the split some time ago:

Re: nginx restart failed + Letsencrypt

Posted: Sun Mar 04, 2018 12:19 pm
by Felix
Thanks noogen for the comprehensive reply. Your reply shed lots of light to my problem.