• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue All websites stopped after Plesk changed /etc/nginx/conf.d/ssl.conf and added ssl_dhparam /opt/psa/etc/dhparams2048.pem;

mr-wolf

Silver Pleskian
Plesk Guru
Server operating system version
Ubuntu 20.04.5 LTS
Plesk version and microupdate number
Version 18.0.47 Update #5, last updated on Oct 26, 2022 06:38 AM
This morning all websites on 1 server stopped working.
Thanks to monitoring software (zabbix) I knew that this was because of an invalid nginx-config (which tests the output of "nginx -t")

nginx -t gave me:

nginx: [emerg] "ssl_dhparam" directive is duplicate in /etc/nginx/conf.d/ssl.conf:5
nginx: configuration file /etc/nginx/nginx.conf test failed

For years I have a file /etc/nginx/conf.d/aa400_own_tweaks.conf which contains among other things
ssl_dhparam /etc/dhparam/dhparam4096.pem;

It turns out that Plesk this morning added this line to /etc/nginx/conf.d/ssl.conf
ssl_dhparam /opt/psa/etc/dhparams2048.pem;

...and thus rendered my nginx configuration corrupt.
Plesk could have opted for a soft reload and nginx would have continued working.
In my case Zabbix would have noticed the invalid config and I could have fixed it without any sites offline.

To fix it I have now commented out the "ssl_dhparam" in my own "/etc/nginx/conf.d/aa400_own_tweaks.conf" and the issue is solved.

This month I installed another Plesk server from scratch and upon installation I noticed that /opt/psa/etc/dhparams2048.pem was added to /etc/nginx/conf.d/ssl.conf, so I refrained from adding it to my own config.

I didn't suspect Plesk to start implementing the ssl_dhparam on my older Plesk managed servers.


I'm posting this here for 2 reasons.
One to help others who haven't found why this happened, so they now can quickly resolve it.

The other is that I have more servers with the ssl_dhparam already configured, but these servers don't have the file /opt/psa/etc/dhparams2048.pem yet.
I have some ideas, but I would like to know what the Plesk team thinks of this.

I think it's best to add this line to /etc/nginx/conf.d/ssl.conf instead of /etc/nginx/conf.d/aa400_own_tweaks.conf
I then only risk /etc/nginx/conf.d/ssl.conf being overwritten with no ssl_dhparam
ssl_dhparam /etc/dhparam/dhparam4096.pem;
 
Last edited:
Back
Top