[BUG] SSL Issue (cannot load certificate) on UI Service

[philippefiz]

What happened?

Hello,
I'v associate subdomain to default service (administration gui) via the webinterface, method "Wizard" and template "UI"

The custom certificate doesn't copy in /var/cache/bunkerweb/customcert/rproxy.mydomain.com (the folder isn't created)

I've in source a custom certificate readable by nginx in /etc/ssl/local, define in file mode only (not data) in BW.

It's OK for another service with the same certificate.
I must load another service used the same certificate to have access on the administration url few minutes, and the error appears again. The folder with the name of the service in cache is never created.

Best Regards,
Thanks

How to reproduce?

Personnalize the default service and load a custom certificate at file mode

Configuration file(s) (yaml or .env)

IS_DRAFT=no
SERVER_NAME=rproxy.mydomain.com
USE_TEMPLATE=ui
USE_BROTLI=yes
USE_CORS=yes
USE_CLIENT_CACHE=yes
USE_CROWDSEC=yes
USE_CUSTOM_SSL=yes
CUSTOM_SSL_CERT=/etc/ssl/local/_.mydomain.com.bundle.crt
CUSTOM_SSL_KEY=/etc/ssl/local/_.mydomain.com.key
INTERCEPTED_ERROR_CODES=404 405 413 429 500 501 502 503 504
USE_GZIP=yes
KEEP_UPSTREAM_HEADERS=Content-Security-Policy Strict-Transport-Security X-Frame-Options X-Content-Type-Options Referrer-Policy
EMAIL_LETS_ENCRYPT=admin@mydomain.com
LIMIT_CONN_MAX_HTTP1=25
LIMIT_CONN_MAX_HTTP2=200
LIMIT_CONN_MAX_HTTP3=200
LIMIT_REQ_RATE=6r/s
MAX_CLIENT_SIZE=50m
SERVE_FILES=no
USE_REAL_IP=yes
USE_REVERSE_PROXY=yes
REVERSE_PROXY_HOST=http://127.0.0.1:7000
REVERSE_PROXY_URL=/RandomURLAdmin
REVERSE_PROXY_BUFFERING=no
USE_ROBOTSTXT=yes
REDIRECT_HTTP_TO_HTTPS=yes
USE_UI=yes

Relevant log output

2025/12/12 14:15:07 [error] 645787#645787: [CUSTOMCERT] error while reading files : /var/cache/bunkerweb/customcert/rproxy.mydomain.com/cert.pem = /var/cache/bunkerweb/customcert/rproxy.mydomain.com/cert.pem: No such file or directory
2025/12/12 14:15:07 [error] 645787#645787: [INIT] customcert:init() call failed : error reading files
2025/12/12 14:15:07 [notice] 645787#645787: [INIT] selfsigned:init() call successful : self signed is not used

BunkerWeb version

1.6.6

What integration are you using?

Linux

Linux distribution (if applicable)

Debian 12

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @philippefiz, thank you for opening this issue. Can you provide the scheduler's logs please ?
This is likely either a permission issue or something else (the scheduler needs to be able to read the custom certificate provided)

[philippefiz]

Hello,
Thanks for the reply.
I have this entry in scheduler.log (full log below) :
"Cert file /etc/ssl/local/_.mydomain.com.bundle.crt is not a valid file for rproxy.mydomain.com"

My certificate is a crt with my certificate and the intermediate concatened :
-----BEGIN CERTIFICATE-----
MIIHJ[VALUE]VA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII[VALUE]Zhs
-----END CERTIFICATE-----

`
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - ✅ Database connection established
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - Service rproxy.mydomain.com is using custom SSL certificates, checking ...
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [❌] - Cert file /etc/ssl/local/_.mydomain.com.bundle.crt is not a valid file for rproxy.mydomain.com
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [⚠️ ] - Variables (CUSTOM_SSL_CERT or CUSTOM_SSL_CERT_DATA) and (CUSTOM_SSL_KEY or CUSTOM_SSL_KEY_DATA) have to be set and valid to use custom certificates for rproxy.mydomain.com
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - Service e-preprod.mydomain.com is using custom SSL certificates, checking ...
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - Checking certificate for e-preprod.mydomain.com ...
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - No change in e-preprod.mydomain.com's certificate
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - Service pdf-preprod.mydomain.com is using custom SSL certificates, checking ...
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - Checking certificate for pdf-preprod.mydomain.com ...
[2026-01-08 11:33:27 +0100] [CUSTOM-CERT] [887] [ℹ️ ] - No change in pdf-preprod.mydomain.com's certificate

[2026-01-08 11:33:27 +0100] [SCHEDULER] [887] [ℹ️ ] - Executing job 'certbot-renew' from plugin 'letsencrypt'...
[2026-01-08 11:33:27 +0100] [LETS-ENCRYPT.RENEW] [887] [ℹ️ ] - Let's Encrypt is not activated, skipping renew...
[2026-01-08 11:33:27 +0100] [SCHEDULER] [887] [ℹ️ ] - Executing job 'cleanup-excess-jobs-runs' from plugin 'db'...
[2026-01-08 11:33:27 +0100] [SCHEDULER] [887] [ℹ️ ] - Successfully added job run for the job 'custom-cert'
[2026-01-08 11:33:27 +0100] [SCHEDULER] [887] [ℹ️ ] - Successfully added job run for the job 'certbot-renew'
[2026-01-08 11:33:27 +0100] [DB.CLEANUP-EXCESS-JOBS-RUNS] [887] [ℹ️ ] - ✅ Database connection established
[2026-01-08 11:33:27 +0100] [DB.CLEANUP-EXCESS-JOBS-RUNS] [887] [ℹ️ ] - Removed 0 excess jobs runs
`

Thanks,
Best regards

[philippefiz]

Oups... I have specified .crt instead of .pem in file path...
I'm sorry