Problema with fusionpbx ssl certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:call1.comunicatefacil.com

I ran this command: nginx -t

It produced this output:nginx: [emerg] BIO_new_file("/etc/dehydrated/certs/call1.comunicatefacil.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/dehydrated/certs/call1.comunicatefacil.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

My web server is (include version): nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Today my test server have this problem, yesterday is worked fine and now when i tried to reestart the server i can´t start my web panel. When i see in the nginx service i have the problem with the ssl certificate

1 Like

nginx won’t start because a file is missing:

If you don’t have a backup of that file (directory), you may have to recreate or get a new cert.

1 Like

When i try again i have this result

root@fusionpbxwebrtc:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Domain Name: call1.comunicatefacil.com
Email Address: mail@comunicatefacil.com
fatal: destination path ‘dehydrated’ already exists and is not an empty directory.

INFO: Using main config file /etc/dehydrated/config

  • Account already registered!

INFO: Using main config file /etc/dehydrated/config

Processing call1.comunicatefacil.com

  • Creating new directory /etc/dehydrated/certs/call1.comunicatefacil.com …
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 1 authorizations URLs from the CA
  • Handling authorization for call1.comunicatefacil.com
  • 1 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for call1.comunicatefacil.com authorization…
  • Cleaning challenge tokens…
  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    “type”: “http-01”,
    “status”: “invalid”,
    “error”: {
    “type”: “urn:ietf:params:acme:error:connection”,
    “detail”: “Fetching http://call1.comunicatefacil.com/.well-known/acme-challenge/9PWN1jxF3ut56KUklpfhBw8XjXzi0vxRH0xnmVf2nEA: Timeout during connect (likely firewall problem)”,
    “status”: 400
    },
    “url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3548742130/f60pMw”,
    “token”: “9PWN1jxF3ut56KUklpfhBw8XjXzi0vxRH0xnmVf2nEA”,
    “validationRecord”: [
    {
    “url”: “http://call1.comunicatefacil.com/.well-known/acme-challenge/9PWN1jxF3ut56KUklpfhBw8XjXzi0vxRH0xnmVf2nEA”,
    “hostname”: “call1.comunicatefacil.com”,
    “port”: “80”,
    “addressesResolved”: [
    “191.98.155.123”
    ],
    “addressUsed”: “191.98.155.123”
    }
    ]
    })
    nginx: [emerg] BIO_new_file("/etc/dehydrated/certs/call1.comunicatefacil.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/dehydrated/certs/call1.comunicatefacil.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
    nginx: configuration file /etc/nginx/nginx.conf test failed
    cat: /etc/dehydrated/certs/call1.comunicatefacil.com/fullchain.pem: No such file or directory
    cat: /etc/dehydrated/certs/call1.comunicatefacil.com/privkey.pem: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/call1.comunicatefacil.com/cert.pem’: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/call1.comunicatefacil.com/chain.pem’: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/call1.comunicatefacil.com/fullchain.pem’: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/call1.comunicatefacil.com/privkey.pem’: No such file or directory

I would check the drive for errors and also try rebooting the system.
If that persists, I would try renaming, or removing, that directory ("/etc/dehydrated/certs/call1.comunicatefacil.com/").

I remove the directory “/etc/dehydrated/certs/call1.comunicatefacil.com/” and I had the same result.

I compare with my server in production and i have the same configuration and the similar permissions

That exact same error?

show us this file.

I think verification might fail because dehydrated needs nginx to be running, in this case you either tell it to spin up a webserver on purpose (does it have this feature?), or you make a selfsigned cert just to start nginx, or you momentarily remove the vhost on port 443.

This is the file /letsencrypt.sh

#!/bin/sh

FusionPBX - Install

Mark J Crane markjcrane@fusionpbx.com

Copyright © 2018

All Rights Reserved.

#move to script directory so all relative paths work
cd “$(dirname “$0”)”

#includes
. ./config.sh

#remove dehyrdated letsencrypt script
#rm -R /etc/dehydrated/
#rm /usr/local/sbin/dehydrated
#rm -R /usr/src/dehydrated
#rm -R /usr/src/dns-01-manual
#rm -R /var/www/dehydrated

#request the domain name, email address and wild card domain
read -p 'Domain Name: ’ domain_name
read -p 'Email Address: ’ email_address

#get and install dehydrated
cd /usr/src && git clone https://github.com/lukas2511/dehydrated.git
cd /usr/src/dehydrated
cp dehydrated /usr/local/sbin
mkdir -p /var/www/dehydrated
mkdir -p /etc/dehydrated/certs

#wildcard detection
wilcard_domain=$(echo $domain_name | cut -c1-1)
if [ “$wilcard_domain” = “*” ]; then
wilcard_domain=“true”
else
wilcard_domain=“false”
fi

#remove the wildcard and period
if [ .wilcard_domain = ."true" ]; then domain_name=(echo “$domain_name” | cut -c3-255)
fi

#manual dns hook
if [ .$wilcard_domain = .“true” ]; then
cd /usr/src
git clone https://github.com/gheja/dns-01-manual.git
cd /usr/src/dns-01-manual/
cp hook.sh /etc/dehydrated/hook.sh
chmod 755 /etc/dehydrated/hook.sh
fi

#copy config and hook.sh into /etc/dehydrated
cd /usr/src/dehydrated
cp docs/examples/config /etc/dehydrated
#cp docs/examples/hook.sh /etc/dehydrated

#update the dehydrated config
#sed “s#CONTACT_EMAIL=#CONTACT_EMAIL=$email_address” -i /etc/dehydrated/config
sed -i ‘s/#CONTACT_EMAIL=/CONTACT_EMAIL="’"$email_address"’"/g’ /etc/dehydrated/config
sed -i ‘s/#WELLKNOWN=/WELLKNOWN=/g’ /etc/dehydrated/config

#accept the terms
dehydrated --register --accept-terms --config /etc/dehydrated/config

#set the domain alias
domain_alias=$(echo “$domain_name” | head -n1 | cut -d " " -f1)

#create an alias when using wildcard dns
if [ .$wilcard_domain = .“true” ]; then
echo “*.$domain_name > $domain_name” > /etc/dehydrated/domains.txt
fi

#add the domain name to domains.txt
if [ .$wilcard_domain = .“false” ]; then
echo “$domain_name” > /etc/dehydrated/domains.txt
fi

#request the certificates
if [ .$wilcard_domain = .“true” ]; then
dehydrated --cron --domain *.$domain_name --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi
if [ .$wilcard_domain = .“false” ]; then
dehydrated --cron --alias $domain_alias --config /etc/dehydrated/config --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge http-01
fi

#make sure the nginx ssl directory exists
mkdir -p /etc/nginx/ssl

#update nginx config
sed “s@ssl_certificate /etc/ssl/certs/nginx.crt;@ssl_certificate /etc/dehydrated/certs/$domain_alias/fullchain.pem;@g” -i /etc/nginx/sites-available/fusionpbx
sed “s@ssl_certificate_key /etc/ssl/private/nginx.key;@ssl_certificate_key /etc/dehydrated/certs/$domain_alias/privkey.pem;@g” -i /etc/nginx/sites-available/fusionpbx

#read the config
/usr/sbin/nginx -t && /usr/sbin/nginx -s reload

#setup freeswitch tls
if [ .$switch_tls = .“true” ]; then

    #make sure the freeswitch directory exists
    mkdir -p /etc/freeswitch/tls

    #make sure the freeswitch certificate directory is empty
    rm /etc/freeswitch/tls/*

    #combine the certs into all.pem
    cat /etc/dehydrated/certs/$domain_alias/fullchain.pem > /etc/freeswitch/tls/all.pem
    cat /etc/dehydrated/certs/$domain_alias/privkey.pem >> /etc/freeswitch/tls/all.pem
    #cat /etc/dehydrated/certs/$domain_alias/chain.pem >> /etc/freeswitch/tls/all.pem

    #copy the certificates
    cp /etc/dehydrated/certs/$domain_alias/cert.pem /etc/freeswitch/tls
    cp /etc/dehydrated/certs/$domain_alias/chain.pem /etc/freeswitch/tls
    cp /etc/dehydrated/certs/$domain_alias/fullchain.pem /etc/freeswitch/tls
    cp /etc/dehydrated/certs/$domain_alias/privkey.pem /etc/freeswitch/tls

    #add symbolic links
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem

    #set the permissions
    chown -R www-data:www-data /etc/freeswitch/tls

fi