Wordpress installation on Nethserver (multiple vhosts)

In /etc/letsencrypt/renewal/... is the renewal information for each cert, it may be cleared too.

2 Likes

OMG… I followed this procedure and now all certificates are gone, new ones were not created.

I deleted the

/etc/letsencrypt/live/FQDN-0001
/etc/letsencrypt/live/FQDN-0002
…again.
And now new certs are created with a new
image

If someone from the development team has enough resources, the certificate management could be improved, so there should be no need to switch to the CLI.

best regards, Marko

1 Like

Would you like to open a #feature request for this? So we won’t forget it.

You’re not the first one requesting UI cert removal, for example:

2 Likes

I did it:
https://community.nethserver.org/t/improved-certificate-management/16700/2

Please like the feature request top push it up.

3 Likes

Hi Marko,

You deleted the original /etc/letsencrypt/live/ so there is no more /etc/letsencrypt/live/FQDN.

You should try deleting the /etc/letsencrypt/live/FQDN-0001 and re-create /etc/letsencrypt/live/FQDN. The rights for that directory should be root:root rwxr-xr-x

There also should be a file /etc/letsencrypt/renewal/FQDN.conf that contains:

# renew_before_expiry = 30 days
version = 1.7.0
archive_dir = /etc/letsencrypt/archive/YOUR-FQDN
cert = /etc/letsencrypt/live/YOUR-FQDN/cert.pem
privkey = /etc/letsencrypt/live/YOUR-FQDN/privkey.pem
chain = /etc/letsencrypt/live/YOUR-FQDN/chain.pem
fullchain = /etc/letsencrypt/live/YOUR-FQDN/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = YOUR-ACCOUNT-NUMBER
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

For the demand for a new certificate, keep the lot of all you domains except only one, so to force a new certificate.

When asking for a new certificate for the same lot of domains, keep in mind the number of demands for a new certificate - it is limited to 5/7 (5 demands / 7 days - might have changed lately).

If you reach the limit, you will have to wait 7 days for a new demand for the same lot of domains.

To keep the number of demands for the original lot of domains, use a (lot of domains -1) for all new demands.
That way, when everything will be working, the demand for your original lot of domains will be below 5/7.

Michel-André

Hi Marko,

I added a reply to your request:

Michel-André

1 Like

Hi Michel-Andre,
thank you for your tips.
I will wait a week to avoid issues.
I don’t understand, how to deal with it:

To keep the number of demands for the original lot of domains, use a (lot of domains -1) for all new demands.

I would like to make one clarification:

You deleted the original /etc/letsencrypt/live/

I deleted only the FQDN subdirectories
/etc/letsencrypt/live/FQDN-0001
/etc/letsencrypt/live/FQDN-0002

But since I had saved them before deleting them, I only needed to restore them.
However, since the original certificates were also restored, the creation of new certificates did not work. Only after I deleted the contents of these folders, new certificates were created, but again in the form /FQDN-0001

Possibly because I have both had emptied the FQDN-directories simultaneously and did not proceed step by step.
I will take this into account for the next attempt in a week.

Best regards, Marko

Hi Marko,

For the rate limits: https://letsencrypt.org/docs/rate-limits/

For my part when it happened to me, I deleted the complete directories FQDN-0001 and FQDN-0002 and not only their contents and kept /etc/letsencrypt/live/FQDN and its content.

Even if Let’s Encrypt takes FQDN-0001, the new certificate is working OK, but when the old certificate will expire, you will receive email every day telling you that this certificate is expired.
A solution might be to revoke the old certificate.
Just wait for the old certificate to expire and see what to do at that time.

Michel-André

1 Like

You’ll receive three emails leading up to the cert expiration, and then they’ll stop.

Revoking the cert is never the right answer, unless you have reason to believe its corresponding private key has been compromised.

1 Like

Hi Michel-Andre,
in preparation for my next try to create unique certificates for every single vhost I’m thinking about your recommendation. I have some questions about details.

Do you mean only the root domain FQDN01 should be left in the request form, or can subdomains like IMAP.FQDN01, SMTP.FQDN01 etc. still be included and be requested at the same time?

Should I also delete all entries for the FQDN01 from the form in the next step to apply for the certificate for the FQDN02, or can they remain contained?

but keeping the original directory:
`/etc/letsencrypt/live/FQDN

Should I create an empty /etc/letsencrypt/live/FQDN02 directory before or will it be created automatically?

I cleaned the cache of the navigator.

You probably mean the browser cache, right?

Sincerely, Marko

Hi Marko,

When the problem occured to me:

  1. I deleted the directories
    /etc/letsencrypt/live/fqdn-0001 and /etc/letsencrypt/live/fqdn-0002 the complete directories and not only their contents.
    I kept the original directory /etc/letsencrypt/live/fqdn and its content.
    If this directory doesn’t exist, you have to create it. Verify the owner:group (root:root) and the rights (0755).

2a) EDIT: I deleted one domain from the list to force a new certificate.
2b) I asked a certificate (one domain by line):
→ fqdn
→ mail.fqdn
→ www.fqdn
:black_small_square: the certificate will be issued to the first domain in the list i.e. fqdn.
:black_small_square: mail.fqdn and www.fqdn will be considered alternative names of fqdn.
:black_small_square: the links in the directory /etc/letsencrypt/live/fqdn wil be adjusted to point to the new files:
cert.pem -> ../../archive/fqdn/cert1.pem (the cert1 might have a different number)
chain.pem -> ../../archive/fqdn/chain1.pem
fullchain.pem -> ../../archive/fqdn/fullchain1.pem
privkey.pem -> ../../archive/fqdn/privkey1.pem
2c) EDIT: Put back the deleted domain from the list to force a new certificate for all the original domains.
2d) EDIT: I asked a new certificate.

  1. I never did that, but if you ask another certificate for a second domain (a vhost) , ex: toto.com, in Cockpit (the web GUI 9090), you will use (one domain by line):
    toto.com
    mail.toto.com
    www.toto.com
    :black_small_square: Let’s Encrypt will create a new directory /etc/letsencrypt/live/toto.com and its content will point to the new cert, chain, fullchain, and privkey.

  2. In web GUI (980) under Virtual hosts → EDIT vhost toto.com → General, and choose /etc/letsencrypt/live/toto.com/cert.pem

image
EDIT: In the above screen capture I modified the name of the original certificate to show the one of the vhost but the name of the original Let’s Encrypt certificate should also be there i.e. /etc/letsencrypt/live/fqdn/cert.pem.

Just to make sure, verify the choice of the certificate for the original domain i.e. fqdn above.

For the clearing of caches:
→ to clear the DNS cache of the station, open a command window:
ipconfig /flushdns
image

→ to clear the browser cache:
image

As I wrote above, I never asked a certificate for a second domain, so keep me informed of your result.

Michel-André

1 Like

Hi @michelandre,
I started the next attempt.

  1. Deleting content of:
    /* etc/letsencrypt/live/
  • /etc/letsencrypt/archive
  • /etc/letsencrypt/renewal
  1. cerated /etc/letsencrypt/live/FQDN1
  2. chowned root:root /etc/letsencrypt/live/FQDN1
  3. requested new certificates only for all FQDN1-Domains (smtp., imap, www …)
  4. get an error
  5. refreshed the page within the browser: the new certificate exists
  6. applied as the standard certificate /etc/letsencrypt/live/FQDN1
  7. get an error
  8. refreshed the page: seems to be assigned as a standard certificate
    —> forgot to create the additional /etc/letsencrypt/live/FQDN2. :flushed:
  9. added the the second FQDN2 within the request form
  10. get the same error as above and no new FQDN2 related certificate was created
  11. have assigned the certificate to the vhosts
  12. opened the website in the browser and checked the certificate: all FQDNS were bundled in the FQDN1 certificate like SANs

I will try in seven days again and change my procedure

  • add the directory after Step 9
  • perhaps no adding FQDN2 to FQDN1 but substitute FQDN1 by FQDN2 in step 10

sincerely, Marko

Hi Marko,

You have to create /etc/letsencrypt/live/FQDN not FQDN1.
The best way will be to recover it from a NethServer backup…

For the vhost, you do not have to create any new directory for the certificate in /etc/letsencrypt/live/, Let’s Encrypt will create it.

DEMAND OF THE FIRST CERTIFICATE
Here toto.com is the original FQDN image

GUI 9090: System → Certificate → Actions → Request Let’s Encrypt certificate

toto.com (for the default domain in /var/www/html/) image

Set it as the default.

CREATION OF THE VHOST
If the vhost is created with the GUI 9090, the vhost directory will be a number. (/var/lib/nethserver/vhost/1234567...890123)

If the vhost is created with the GUI 980, the vhost directory will be the name of the vhost (/var/lib/nethserver/vhost/titi)

DEMAND OF THE SECOND CERTIFICATE
titi.com (for the vhost in /var/lib/nethserver/titi)image

Here directory titi.com is created by Let’s Encrypt
after the demand of the second certificate.image

GUI 980: (to associate the second certificate to the vhost titi)
Management → Virtual hosts → General → end of line of titi → Edit → SSL/TLS certificate → choose /etc/letsencrypt/live/titi.com/cert.pem → SUBMIT.image

If you go to https://www.toto.com, it will take the certificate of toto.com

If you go to https://www.titi.com, it will take the certificate of titi.com

Michel-André

P.S. You do not have to wait 7 days, you can try it now, as you already asked only one time for each certificate; there should be 4 demands left with the same set of domains.

1 Like

Hi Michel-Andre, you are so helpful to me, many thanks!

That’s exactly what I did. In my posting, I only tried to distinguish between the different two domain names.
Now I can see my mistake: I added the second domain name in the application form to the first and did not replace it.

You do not have to wait 7 days, you can try it now, as you already asked only one time for each certificate; there should be 4 demands left with the same set of domains.

Thanks for the clarification. I was not sure and only wanted to exclude a possible source of error.

currents state: SUCCESS!
All different domains got a unique certificate!

Sincerely, Marko

Dear Stephane,

I am experiencing similar problem as Marko when installing wordpress in NethServer release 7.9.2009 (3.10.0-1160.11.1.el7.x86_64).

I have followed the NethServer wiki Wordpress (blog)
up to the point

sudo yum install nethserver-wordpress --enablerepo=stephdl
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
 * ce-base: mirrors.prometeus.net
 * ce-extras: mirrors.prometeus.net
 * ce-sclo-rh: mirrors.prometeus.net
 * ce-sclo-sclo: mirrors.prometeus.net
 * ce-updates: mirrors.prometeus.net
 * epel: ftp.upjs.sk
 * nethforge: ketrax.eu
 * nethserver-base: ketrax.eu
 * nethserver-updates: ketrax.eu
 * remi-safe: mirror.23media.com
Resolving Dependencies
--> Running transaction check
---> Package nethserver-wordpress.noarch 0:1.1.9-2.ns7.sdl will be installed
--> Processing Dependency: wordpress for package: nethserver-wordpress-1.1.9-2.ns7.sdl.noarch
--> Running transaction check
---> Package wordpress.noarch 0:5.1.8-1.el7 will be installed
--> Processing Conflict: nethserver-wordpress-AutoUpdater-1.1.11-2.ns7.sdl.noarch conflicts wordpress
--> Processing Conflict: nethserver-wordpress-AutoUpdater-1.1.11-2.ns7.sdl.noarch conflicts nethserver-wordpress
--> Processing Conflict: nethserver-wordpress-1.1.9-2.ns7.sdl.noarch conflicts wordpress-AutoUpdater
--> Processing Conflict: nethserver-wordpress-1.1.9-2.ns7.sdl.noarch conflicts nethserver-wordpress-AutoUpdater
--> Finished Dependency Resolution
Error: nethserver-wordpress-AutoUpdater conflicts with wordpress-5.1.8-1.el7.noarch
Error: nethserver-wordpress conflicts with nethserver-wordpress-AutoUpdater-1.1.11-2.ns7.sdl.noarch
Error: nethserver-wordpress conflicts with wordpress-AutoUpdater-5.2.3-1.ns7.sdl.noarch
Error: nethserver-wordpress-AutoUpdater conflicts with nethserver-wordpress-1.1.9-2.ns7.sdl.noarch

Some crosscheck of previous steps:

# rpm -qa | grep -i 'wordpress'
nethserver-wordpress-AutoUpdater-1.1.11-2.ns7.sdl.noarch
wordpress-AutoUpdater-5.2.3-1.ns7.sdl.noarch

Do you have an idea what should I try?
Thanks,
Martin

you cannot have both installed, either nethserver-wordpress or nethserver-wordpress-autoupdater

Hi Stephan,
in the meantime I prefer the manual installation into a virtual host.
I have proceeded as follows:
0. Creating Subdomain www.yourdomain.tld

  1. PHP-Installation

     # yum -y install nethserver-httpd-virtualhosts nethserver-mysql
     # yum -y install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.1.1-1.ns7.sdl.noarch.rpm
     # yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
     # yum -y install nethserver-php-scl --enablerepo=stephdl,remi-safe
    
  2. creating a virtual host www.yourdomain.tld

  3. Assignment of the aliases www.yourdomain.tld and yourdomain.tld to your VH

  4. Detailed configuration oh the VH, esp. PHP-Settings

  5. Installation of Maria-DB
    5.1 Check preferences

stephdl-Repo:

[root@ns-srv01 ~]# rpm -qa | grep stephdl
nethserver-stephdl-1.1.3-1.ns7.sdl.noarch
[root@ns-srv01 ~]#

remi Repo:

[root@ns-srv01 ~]# rpm -qa | grep remi-release
remi-release-7.8-1.el7.remi.noarch
[root@ns-srv01 ~]#

PHP-Collection:

[root@ns-srv01 ~]# rpm -qa | grep nethserver-php-scl
nethserver-php-scl-1.3.2-1.ns7.sdl.x86_64
[root@ns-srv01 ~]#

5.2. Installation MariaDB: # yum install -y –enablerepo=stephdl nethserver-rh-mariadb103
5.3 Check Installation:

# scl -l
php56
php70
php71
php72
php73
php74
rh-mariadb103      <<------
rh-php73

5.4 Check Config

# config show rh-mariadb103-mariadb
rh-mariadb103-mariadb=configuration
    LocalNetworkingOnly=no
    MaxAllowedPacket=16M
    TCPPort=3313       <<--- important to remember! 
    access=private
    status=enabled

5.5. Check deamon:

# systemctl list-unit-files | grep mariadb
mariadb.service                               disabled
rh-mariadb103-mariadb.service                 enabled
rh-mariadb103-mariadb@.service                disabled

# ps aux | grep mariadb103
mysql     5506  0.1  1.0 1762864 81936 ?       Ssl  13:44   0:00 /opt/rh/rh-mariadb103/root/usr/libexec/mysqld --basedir=/opt/rh/rh-mariadb103/root/usr
root     22552  0.0  0.0 112812   964 pts/0    S+   13:49   0:00 grep --color=auto mariadb103

5.6 Check log-file

# ls -ls /var/log/rh-mariadb103/mariadb.log
8 -rw-rw---- 1 mysql mysql 6155 Nov 26 13:44 /var/log/rh-mariadb103/mariadb.log
  1. Create DB:
    # mysqladmin103 CREATE dbwordpress
    # mysql103
    MariaDB [(none)]> MariaDB [(none)]> grant all on dbwordpress.* to 'xyzdbadmin01'@'localhost' identified by 'your_db_password';

  2. Install WP
    # cd /var/lib/nethserver/vhost/your-host
    # chown apache:apache /var/lib/nethserver/vhost/your-host
    # wget https://wordpress.org/latest.tar.gz
    # tar -xzf latest.tar.gz
    # mv /wordpress/* /
    # rmdir wordpress/

adjust access rights
# chown -R apache:apache *
# chmod -R o-rwx *

8: Start WP: https://www.yourdomain.tld/wp-admin/
9. insert your credentials and the right DB-Port (127.0.0.01:3313)
10. Create WP-Admin and your WP-site

That’s all and it worked several times in the meantime.
Best regards, Marko

Ps.: don’t forget the LE-Cert for the subdomain

1 Like

Hi Marko,

As you are in /var/lib/nethserver/vhost/your-host, I think there is a typo in the above command. It should be:

mv wordpress/* .

Also, even that there are no hidden files in main directory wordpress/, you have to notice that the command mv directory/* will not move hidden files and hidden directories from wordpress/ directory, unless directly specified; but it will move hidden files and hidden directories from wordpress/sub-directories.

An easier solution is to use the option tar --strip-components 1 . This option will remove wordpres/, i.e. the first “1” component, from the name of the extracted files and they will all be directly extracted into /var/lib/nethserver/vhost/your-host/.

# tar --strip-components 1 -zxvf latest.tar.gz

EDITED:
For hidden files and hidden directories, as above for the mv command, the same can be said for your last chown command.
An easier solution to take care of all hidden files/directories with chown is as you did with your first chown:

chown -R apache:apache /var/lib/nethserver/vhost/your-host

  • ...your-host/, only the “content” of directory your-host will be affected and not the hidden files/dirs inside your-host/ itself; but those inside your-host/sub-dirs/ will.
  • ...your-host, the directory your-host will also have its owner:group changed to apache:apache as all the hidden files/dirs wherever they are…

Just suggestions,

Michel-André

1 Like