Certificate issues after migration - nginx not starting

Hi there,

We did a proof of concept today of restoring MIAB to new hardware. Unfortunately we hit a wall after the certificate key was invalid, and nginx would not start. We did not change the glue record, just a hosts file on our test machine to see if it is up. Below are the steps…

install MIAB on test box
rsync backup
restore backup 
    admin works
    roundcube cannot connect to storage
reboot
    nginx not started, bad key

At this point we stopped, for fear that executing something on the destination server (like letsencrypt cert generation) would occur on the source server (still production).

So, what is the best practice for moving certs? Should something be done on the source server before deploying to the destination server? Is there a way in MIAB to blow away the certs and recreate? Is there a critical step I missed in the docs?

Thanks a bunch!

Rerun MIAB setup, confirm MySQL, nginx, and mailinabox service running:

systemctl status mysql.service (same for other names mentioned)
Please PM me the following info (as some logs might hold sensitive data):

/var/log/nginx/error.log
/var/log/syslog (last 100 lines or so(tail -n 100 /var/log/syslog))
As well as the outputs for the systemctl commands mentioned above.

If you like, if not that is also totally understandable.

For certs, if you got them via the MIAB admin panel you can just have the new server get new certs via the admin panel with no issues. If you bought the certs (but why?) from a 3rd party like comodo or godaddy just reimport and they will work as expected.

I may take you up on that. We did our proof of concept to the point of demonstrating the process… so we will probably look at implementing it and planning a decent outage window so we can work out the kinks.

Thanks!

@jptechnical
Last time when I have done a backup restore on a testing VM, I’ve got the same issue with Nginx - it was the cert private keys were not restored successfully Nginx was happy, and everything else worked fine.
The reason I think is that installing a test MIAB will generate self-signed SSL, and restoring from backup will not restore the linking to the right private keys, Nginx will check then and find mismatches web cert<>private key and will not start.

Check symlink ssl_certificate.pem -> where is pointing at? under:

/home/user-data/ssl/

@murgero
Do we run mysql on newer MIAB? Has something changed - it was just flat roundcube.sqlite file with no service running, or am I outdated?

Regards,

@mveplus my apologies, I have a modified MIAB.

Roundcube does use SQLite by default silly me. (My bad) It’s still good to see the other services and see if they are still online though.

That makes perfect sense @mveplus, thanks a bunch!