Bugreport - App in recovery mode crashing nginx - Cloudron frontend not accessible
-
I just had an interesting support case.
A customer had a Cloudron that was non accessible via the frontend.Looking at the system (and knowing no frontend at all) can only mean nginx issues.
journalctl -u nginxFeb 23 05:18:47 my systemd[1]: Starting nginx - high performance web server... Feb 23 05:18:52 my nginx[6671]: nginx: [emerg] cannot load certificate "/home/yellowtent/platformdata/nginx/cert/orga.domain.tld.cert": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen Feb 23 05:18:52 my systemd[1]: nginx.service: Control process exited, code=exited status=1 Feb 23 05:18:52 my systemd[1]: nginx.service: Failed with result 'exit-code'. Feb 23 05:18:52 my systemd[1]: Failed to start nginx - high performance web server.Huh.
cd /etc/nginx/applications
grep -rin "orga"(searching for the subdomain of the app so I can get the nginx confile filename aka. appid.f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:16: server_name orga.sub.domain; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:44: server_name orga.sub.domain; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf.off:50: ssl_certificate /home/yellowtent/platformdata/nginx/cert/orga.sub.domain.cert; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:51: ssl_certificate_key /home/yellowtent/platformdata/nginx/cert/orga.sub.domain.key;Moving the file to
.offso nginx won't load it as config
mv f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf.off
systemctl restart nginx.serviceNow the frontend is accessible again.
HUH!
f3a6649e-86c9-4fd0-ac97-a3675a36c19dis aRedmine 4.2.1=>org.redmine.coudronapp@1.7.1=>Last Updated 10 months ago
and its labeledorga.sub.domain - brokenand the app is in recovery mode.
Trying a force renew all certs:Log:
Feb 23 12:24:32 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/oldorga.sub.domain.cert notAfter=Sep 11 08:32:00 2021 GMT daysLeft=-165.11981987268518What the..?
oldorga.sub.domain?@staff Could it be that an app in recovery mode does not get any new certs?
And simple the app had been so long in recovery mode the certs have not been renewed?
Why is there anoldorga.sub.domainwhich is getting renewed? There is no app with this location.Something is fishy
Like my work? Consider donating a drink. Cheers!
-
I just had an interesting support case.
A customer had a Cloudron that was non accessible via the frontend.Looking at the system (and knowing no frontend at all) can only mean nginx issues.
journalctl -u nginxFeb 23 05:18:47 my systemd[1]: Starting nginx - high performance web server... Feb 23 05:18:52 my nginx[6671]: nginx: [emerg] cannot load certificate "/home/yellowtent/platformdata/nginx/cert/orga.domain.tld.cert": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen Feb 23 05:18:52 my systemd[1]: nginx.service: Control process exited, code=exited status=1 Feb 23 05:18:52 my systemd[1]: nginx.service: Failed with result 'exit-code'. Feb 23 05:18:52 my systemd[1]: Failed to start nginx - high performance web server.Huh.
cd /etc/nginx/applications
grep -rin "orga"(searching for the subdomain of the app so I can get the nginx confile filename aka. appid.f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:16: server_name orga.sub.domain; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:44: server_name orga.sub.domain; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf.off:50: ssl_certificate /home/yellowtent/platformdata/nginx/cert/orga.sub.domain.cert; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:51: ssl_certificate_key /home/yellowtent/platformdata/nginx/cert/orga.sub.domain.key;Moving the file to
.offso nginx won't load it as config
mv f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf.off
systemctl restart nginx.serviceNow the frontend is accessible again.
HUH!
f3a6649e-86c9-4fd0-ac97-a3675a36c19dis aRedmine 4.2.1=>org.redmine.coudronapp@1.7.1=>Last Updated 10 months ago
and its labeledorga.sub.domain - brokenand the app is in recovery mode.
Trying a force renew all certs:Log:
Feb 23 12:24:32 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/oldorga.sub.domain.cert notAfter=Sep 11 08:32:00 2021 GMT daysLeft=-165.11981987268518What the..?
oldorga.sub.domain?@staff Could it be that an app in recovery mode does not get any new certs?
And simple the app had been so long in recovery mode the certs have not been renewed?
Why is there anoldorga.sub.domainwhich is getting renewed? There is no app with this location.Something is fishy
@BrutalBirdie from my epxerience, Apps in recovery mode or in any other state than "running" do not get certs or updates.
-
I just had an interesting support case.
A customer had a Cloudron that was non accessible via the frontend.Looking at the system (and knowing no frontend at all) can only mean nginx issues.
journalctl -u nginxFeb 23 05:18:47 my systemd[1]: Starting nginx - high performance web server... Feb 23 05:18:52 my nginx[6671]: nginx: [emerg] cannot load certificate "/home/yellowtent/platformdata/nginx/cert/orga.domain.tld.cert": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen Feb 23 05:18:52 my systemd[1]: nginx.service: Control process exited, code=exited status=1 Feb 23 05:18:52 my systemd[1]: nginx.service: Failed with result 'exit-code'. Feb 23 05:18:52 my systemd[1]: Failed to start nginx - high performance web server.Huh.
cd /etc/nginx/applications
grep -rin "orga"(searching for the subdomain of the app so I can get the nginx confile filename aka. appid.f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:16: server_name orga.sub.domain; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:44: server_name orga.sub.domain; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf.off:50: ssl_certificate /home/yellowtent/platformdata/nginx/cert/orga.sub.domain.cert; f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf:51: ssl_certificate_key /home/yellowtent/platformdata/nginx/cert/orga.sub.domain.key;Moving the file to
.offso nginx won't load it as config
mv f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf f3a6649e-86c9-4fd0-ac97-a3675a36c19d.conf.off
systemctl restart nginx.serviceNow the frontend is accessible again.
HUH!
f3a6649e-86c9-4fd0-ac97-a3675a36c19dis aRedmine 4.2.1=>org.redmine.coudronapp@1.7.1=>Last Updated 10 months ago
and its labeledorga.sub.domain - brokenand the app is in recovery mode.
Trying a force renew all certs:Log:
Feb 23 12:24:32 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/oldorga.sub.domain.cert notAfter=Sep 11 08:32:00 2021 GMT daysLeft=-165.11981987268518What the..?
oldorga.sub.domain?@staff Could it be that an app in recovery mode does not get any new certs?
And simple the app had been so long in recovery mode the certs have not been renewed?
Why is there anoldorga.sub.domainwhich is getting renewed? There is no app with this location.Something is fishy
@BrutalBirdie yes, this was a bug in 7.0.x. certificates of apps are "deleted" after 6 months or so. when this happens, the nginx config is left dangling. This is fixed in 7.1 with https://git.cloudron.io/cloudron/box/-/commit/5382e3d8321ddb96817f50ab94e9da56258b11e9
