James Bucanek
Level 1 (64 points)
Apple TV

Q: Replaced my SSL Certificate for Mail/Server, now all of my websites are unreachable

OS X 10.10.5, Server 5.0.4, Mac Mini Server (late 2012)

 

The SSL certificate I use for mail (which is also the certificate I use as the "generic" certificate for my server) expired.

 

I renewed my certificate with GoDaddy and downloaded the new .crt file. I couldn't find any way of just replacing my certificate in the Server interface, so I simply replaced the expired certificate with the new one via Keychain Access.

 

Initially, it seems to have worked. The updated certificate shows up in the Certificates tab, with the new expiration date. Mail is coming and going.

 

However, all of my web sites (all 30 of them) are now down. Even the secure sites that use a difference SSL certificate. All of them say "Not reachable, this website is not available over the internet."

 

If I go to the Server > "Server Name" tab and click on the Reachability Details, it says that all of my active services (Mail, Remote Login, Server Admin, Websites) are all reachable. In the Websites tab, the status light is green, but the message is "Users may not be able to access websites from the Internet."

 

My problem seems to be the proxy service. This error message started showing up in the system.log about the time I updated the certificate:

 

Jan 17 15:39:50 mail com.apple.xpc.launchd[1] (com.apple.serviceproxy[1794]): Service exited with abnormal code: 1

Jan 17 15:39:50 mail com.apple.xpc.launchd[1] (com.apple.serviceproxy): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

 

It repeats about every 10 seconds, but I have no idea what's wrong with the proxy service or why it can't start.

Posted on Jan 17, 2016 3:55 PM

Close
James Bucanek

Q: Replaced my SSL Certificate for Mail/Server, now all of my websites are unreachable

  • All replies
  • Helpful answers

  • by MrHoffman,

    MrHoffman MrHoffman Jan 17, 2016 6:51 PM in response to James Bucanek
    Level 6 (15,627 points)
    Mac OS X
    Jan 17, 2016 6:51 PM in response to James Bucanek

    Launch Console.app from Applications > Utilities and start looking for certificate errors — there's usually rather more than a service tipping over and restarting, if it's related to a certificate error.   Shut the web services down, remember where you are in the Console.app console window, and start up web services, as one approach to try to isolate the errors from among the usual blizzard of logging data.

  • by Kevin Neal,

    Kevin Neal Kevin Neal Jan 18, 2016 12:54 AM in response to James Bucanek
    Level 3 (513 points)
    Servers Enterprise
    Jan 18, 2016 12:54 AM in response to James Bucanek

    did you set up reverse proxies using webapps as described in a forum post on here? if so part of the procedure included locking the config files, I found when I renewed my certificates I had to unlock these files for it to start working again

  • by James Bucanek,

    James Bucanek James Bucanek Jan 18, 2016 9:33 AM in response to Kevin Neal
    Level 1 (64 points)
    Apple TV
    Jan 18, 2016 9:33 AM in response to Kevin Neal

    Kevin,

     

    I searched a bit, but couldn't seem to find the post you are referring to. When you say "unlock" the config files, do you mean making them group/world writable? And if so, what config files are you talking about?

     

    I finally resorted to restoring from a backup just to get my web sites back up. I'm taking a fresh backup now and will attempt to replace my certificates again tomorrow.

  • by Kevin Neal,

    Kevin Neal Kevin Neal Jan 18, 2016 11:00 AM in response to James Bucanek
    Level 3 (513 points)
    Servers Enterprise
    Jan 18, 2016 11:00 AM in response to James Bucanek

    sorry I was talking about this post Web apps, reverse proxy, FileMaker Server and Kerio Connect, it may not apply to you, the files are in /Library/Server/web/config/apache2/sites

  • by Blaidd Drwg,

    Blaidd Drwg Blaidd Drwg Jan 19, 2016 7:41 PM in response to James Bucanek
    Level 1 (109 points)
    Jan 19, 2016 7:41 PM in response to James Bucanek

    You should look into why the service proxy failed to start. Maybe /private/var/log/apache2/service_proxy_error.log would have more info. If it happens again that serviceproxy won't start and the log doesn't show anything helpful, try starting the service manually to see what errors appear.

     

    sudo env XPC_SERVICES_UNAVAILABLE=1 SERVER_INSTALL_PATH_PREFIX=/Applications/Server.app/Contents/ServerRoot MODULE_INSTALL_PATH_PREFIX= XPC_SERVICE_NAME=com.apple.serviceproxy /usr/sbin/httpd -X -D FOREGROUND -f /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf

  • by James Bucanek,

    James Bucanek James Bucanek Feb 1, 2016 9:39 PM in response to James Bucanek
    Level 1 (64 points)
    Apple TV
    Feb 1, 2016 9:39 PM in response to James Bucanek

    Thanks for all of the suggestions and advice. After banging my head against this for several more days, I broke down and called Apple's enterprise support, who were both gracious and patient.

     

    Ultimately, the problem is that I went about this completely wrong. (Completely might be overstating it a bit, but I was definitely off the rails.)

     

    When I renewed my certificate with GoDaddy, I simply mashed the "Renew" button for the certificate thinking that that's all I needed to do. Bzzzzzzzzzzt. Wrong answer. What I needed to do was create a new certificate signing request and private key.

     

    This can be accomplished in one of two ways in the the Server app: Using the + > Get Trusted Certificate... command, or by opening the certificate that has expired and clicking the Renew... button at the bottom of the dialog. The results are the same, but the latter will pre-fill a lot of the details based on the original certificate.

     

    1) Server will generate a new private key and signing request. Use the later to paste the CSR into the GoDaddy form.

    2) Once the new certificate is generated, you download the .crt files.

    3) Open the "pending" certificate in the Certificates list, and drop the downloaded files into the dialog to complete the installation.

    4) Finally, select the new certificate in the Secure services using pop-up menu.

     

    Since I had already renewed my certificate and it has been issued, I was worried about having to buy it again, but GoDaddy has a solution for that situation.

     

    In the GoDaddy certificate management page, there's a "re-key" option that you can choose. This will generate a new certificate for a new private key and signing request, but for the same time period you've already renewed. In other words, it just regenerates the certificate you already paid for. It's primarily of use if your private key has been lost or compromised, but it will also pull it out of the fire in a situation like this.

     

    So, my re-issued renewed certificate is now installed and working perfectly (as far as I can tell).