BUG: NGINX config error due to missing dpharams.pem

Jeazyee · September 2, 2022, 1:54pm

Hi guys,

had a problem on two servers when adding a site with let’s encrypt certificate for my own domain. It threw an error while creating the site, here’s the last part of the log shown on cleavr:

[Fri 02 Sep 2022 01:33:00 PM UTC] Run reload cmd: service nginx force-reload [Fri 02 Sep 2022 01:33:00 PM UTC] Reload success * Testing nginx configuration ...fail!

The nginx config test failed, so I ssh into the server and run “nginx -t”:

# nginx -t
nginx: [emerg] BIO_new_file("/etc/nginx/dhparams.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/dhparams.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The dpharams.pem file is missing. So I generated it manually:

openssl dhparam -out /etc/nginx/dhparams.pem 4096

After it finished, there were no more issues when testing the nginx config and the site is working. I assume the file should get generated automatically when installing nginx, which however didn’t happened for me. I could reproduce this on two servers, so maybe there’s something to look after.

Best Greetings

amiedema · September 2, 2022, 2:39pm

Hi @Jeazyee,

Thanks for bringing this to our attention!

Could you please provide some additional repro steps? I’m wondering if this is happening on a specific hosting provider?

Jeazyee · September 2, 2022, 3:09pm

I tried with 2 different custom server providers. The steps were:

Add a plain server
Add MariaDB service to the server
Add WordPress Site with custom domain and SSL

I am not sure if I added nginx service to the server before adding the site. PHP was definitely not installed, it got installed on creation of the WordPress site.

amiedema · September 2, 2022, 3:19pm

Would you be able to share the name of the hosting provider?

Jeazyee · September 2, 2022, 3:43pm

It were a netcup vps and an oracle cloud a1.flex instance. From the oracle cloud one I removed all iptable rules as the pre-configurations from oracle could cause issues. The netcup vps does not have any pre-configurations and firewall configs.

don · July 17, 2023, 10:29am

It also happened to me on a custom self-hosted server, however, thanks for the solution @Jeazyee

interfacelab · September 19, 2023, 10:18am

Just happened to me on Digital Ocean. Installed docker, added generic port app.

anish · September 19, 2023, 10:25am

Hello @interfacelab,

As @Jeazyee suggested we can run the following command to generate the required file:

openssl dhparam -out /etc/nginx/dhparams.pem 4096

interfacelab · September 19, 2023, 10:26am

yes that’s what I’m doing now, but would be nice if I didn’t have to do that

anish · September 19, 2023, 10:34am

Hello @interfacelab,

We definitely want the experience to be as you are expecting it to be. We previously investigated the issue but weren’t able to identify the cause. We’ll look into it again and come up with some solutions.

interfacelab · September 19, 2023, 10:46am

One thing to consider too is that on smaller droplets and ec2 instances that command could take 24 hours. So I’m not sure how you guys would get around that.

I just did it on a smaller droplet and had to kill it after an hour. Ran it on my mac and it finished in a few seconds shrug.

Apparently using the -dsaparam will speed it up but it’s not secure? I don’t know sh(t about any of that so I have no idea.

Jeazyee · December 6, 2023, 2:03pm

Just noticed, it does only happen when you wanna instantly add a site with SSL after setting up a new server. If you are going to wait a bit between setting up the server and adding your first SSL site, everything works fine. So I guess the dhparam generation is taking place in the background, but it takes a while.