1

Topic: Help! messed up my SSL and nginx won't start

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I'm running (was) nginx.  My letsencrypt certificate was expiring and one of the domains needed to be dropped (friend no longer kept the domain and I had it in my certificate).

So, I copied a backup of the letsencrypt directory and created a new ssl without the domains - no problem.

I can't get nginx to load.  I killed my symlinks and recreated and I have problems

This is the error I get:


[root@mail ssl]# systemctl status nginx.service -l
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2022-09-09 10:55:35 EDT; 1min 31s ago
  Process: 19874 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 19872 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)

Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Sep 09 10:55:35 mail.lifeassetsllc.com nginx[19874]: nginx: [emerg] cannot load certificate key "/etc/pki/tls/private/iRedMail.key": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/pki/tls/private/iRedMail.key','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Sep 09 10:55:35 mail.lifeassetsllc.com nginx[19874]: nginx: configuration file /etc/nginx/nginx.conf test failed
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: nginx.service: control process exited, code=exited status=1
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: Unit nginx.service entered failed state.
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: nginx.service failed.
[root@mail ssl]#

There was no file for /etc/ssl/private/iRedMail.key, so I created the directory and copied the privkey.pem file there from letsencrypt.


I have recreated the certificates with the dropped domains:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.lifeassetsllc.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.lifeassetsllc.com/privkey.pem
   Your cert will expire on 2022-12-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:



So, I have a new certificate, but frankly I'm stumped and my server is down (I only use webmail) until I fix it.

How do I relink my new certificate into nginx so that it will start correctly?

Help, I'm lost!!!!

Andrew

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Help! messed up my SSL and nginx won't start

AndyInNYC wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I'm running (was) nginx.  My letsencrypt certificate was expiring and one of the domains needed to be dropped (friend no longer kept the domain and I had it in my certificate).

So, I copied a backup of the letsencrypt directory and created a new ssl without the domains - no problem.

I can't get nginx to load.  I killed my symlinks and recreated and I have problems

This is the error I get:


[root@mail ssl]# systemctl status nginx.service -l
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2022-09-09 10:55:35 EDT; 1min 31s ago
  Process: 19874 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 19872 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)

Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Sep 09 10:55:35 mail.lifeassetsllc.com nginx[19874]: nginx: [emerg] cannot load certificate key "/etc/pki/tls/private/iRedMail.key": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/pki/tls/private/iRedMail.key','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Sep 09 10:55:35 mail.lifeassetsllc.com nginx[19874]: nginx: configuration file /etc/nginx/nginx.conf test failed
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: nginx.service: control process exited, code=exited status=1
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: Unit nginx.service entered failed state.
Sep 09 10:55:35 mail.lifeassetsllc.com systemd[1]: nginx.service failed.
[root@mail ssl]#

There was no file for /etc/ssl/private/iRedMail.key, so I created the directory and copied the privkey.pem file there from letsencrypt.


I have recreated the certificates with the dropped domains:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.lifeassetsllc.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.lifeassetsllc.com/privkey.pem
   Your cert will expire on 2022-12-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:



So, I have a new certificate, but frankly I'm stumped and my server is down (I only use webmail) until I fix it.

How do I relink my new certificate into nginx so that it will start correctly?

Help, I'm lost!!!!

Andrew

Edit:  I fixed it after an hour.
My certificate changed names, which shouldn't have mattered, and I used:

sudo ln -sf /etc/letsencrypt/live/mail.lifeassetsllc.com/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
sudo ln -sf  /etc/letsencrypt/live/mail.lifeassetsllc.com/privkey.pem /etc/pki/tls/private/iRedMail.key

which seemingly did matter.

So, all is running for now.  Hope this helps someone in the future.

Andrew