BUG: broken certificate chain with Roundcube

[mrclschstr]

Hi everyone,

I just registered to post my found bug here. My current configuration is: Ubtuntu Server 10.04, Plesk 11.5 and Roundcube 0.9.5 (installed via Plesk as the default webmail application) on Apache.

I played around with an SSL checker (https://www.ssllabs.com/ssltest/) to test my certificates and I found out that Roundcube delivered a broken certificate chain. It didn't deliver the intermediate certificate correctly. I searched through the configuration file of roundcube (/etc/apache2/plesk.conf.d/roundcube.conf) and discovered that there was only an entry for SSLCertificateFile.

To fix this I added the intermediate certificate via SSLCACertificateFile to the configuration file:

SSLCertificateFile "/opt/psa/var/certificates/cert-1sCtWB"
SSLCACertificateFile "/opt/psa/var/certificates/cert-FGLFqQ"

The only problem is that this configuration file is generated automatically:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

I hope this will be fixed soon.

Kind regards

 

[abdi]

Just wondering, had you defined the Intermediate Certificate part while installing the SSL in plesk?

 

[mrclschstr]

Good point! If I remember correctly I added the intermediate certificate afterwards. I'll do a quick test later.

 

[abdi]

Sure, let us know of the results ...

 

[mrclschstr]

Hi again,

unfortunately this was not the solution. I installed my certificate (with the intermediate certificate part) again in Plesk but Roundcube still didn't provide the correct chain.

I even tried to run the following commands to reinstall the certificates and to rebuild the conf-files:

/usr/local/psa/bin/repair --reconfigure-ssl-certificates
/usr/local/psa/admin/bin/httpdmng --reconfigure-all

I still have to add the SSLCACertificateFile to recieve a complete certificate chain from Roundcube.

Kind regards

 

[abdi]

Alright, then that is a bug indeed. I will request you to report it at:

http://plesk.uservoice.com/

 

[mrclschstr]

Done

https://plesk.uservoice.com/forums/...ith-roundcube-conf-and-missing-sslcacertifica

 

[Sergey L]

Hi,

Thanks for paying attention to a problem, however reporting a bug into plesk.uservoice.com is a misuse. plesk.uservoice.com is watched for top problems, and a single vote request can only be incidentally noticed. So in many cases you would just lose a chance to get a fix.

 

[IgorG]

Alright, then that is a bug indeed. I will request you to report it at:

http://plesk.uservoice.com/

It is really bad idea to post bugs on uservoice. This is improper place. Uservoice has been created for feature requests and fresh ideas only. Please do not suggest post the bugs there anymore. Thanks.

 

[mrclschstr]

What is the proper place for my issue/bug then?

 

[IgorG]

What is the proper place for my issue/bug then?

Use this template for reporting - http://forum.parallels.com/showthread.php?106113

 

[SvetlanaS]

Thank you for reported issue. Bug has been passed to RnD department.

 

[mrclschstr]

That's nice to hear but just for good order I've got the following details for you:

---------------------------------------------------------------
PRODUCT, VERSION, MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Parallels Plesk Panel 11.5.30 Update #30 on Ubuntu 10.04.4 LTS (64 bit)

PROBLEM DESCRIPTION
I set up a standard SSL certificate (with intermediate certificate) and no standard Site (on purpose) in the IP address settings. Additionally I installed Roundcube via "add components" and set it as the webmail application for my domain in the Control Panel. By using a SSL checker I realized that the certificate chain was broken (CA intermediate certificate missing). I fixed it manually by adding the entry to the roundcube.conf file (see above comments).

STEPS TO REPRODUCE

1. Installing SSL certificate in Parallels Panel as the default SSL certificate (IP address settings)
2. Don't set any default Site (don't know if this matters)
3. Install Roundcube via "add components" in Parallels Panel
4. Change to Control Panel of the domain and set Roundcube as the webmail application
5. Check SSL certificate for your webmail domain: webmail.domain.tld

ACTUAL RESULT
Certificate chain broken. "SSLCACertificateFile" missing in roundcube.conf.

EXPECTED RESULT
Complete certificate chain delivered by Roundcube application.

ANY ADDITIONAL INFORMATION
none
--------------------------------------------------------------

 

[KamalG]

Can anyone help me install ssl on my webmail.mydomain.com ? still haven't found any clues.

 

[finbarr69]

This bug still exists in Plesk 12.5 as of September 2016. Is there any update on the bug?

Thanks!

Brian

 

[mrclschstr]

Meanwhile I created a custom template for roundcube at /opt/psa/admin/conf/templates/custom/roundcube.php and added the intermediate certificate by myself in line 90:

SSLCACertificateFile "<?php echo $ipAddress->sslCertificate->caFilePath ?>"

 

[finbarr69]

Thank you!

This was driving me mad.

I could not find that path on my CentOs6 server, it was instead at
/usr/local/psa/admin/conf/templates/custom

but I found some documentation here:

http://docs.plesk.com/en-US/12.5/ad...settings-using-configuration-templates.68693/

Basically
# mkdir /usr/local/psa/admin/conf/templates/custom
(the custom directory didn't exist)
# cp -p /usr/local/psa/admin/conf/templates/default/roundcube.php /usr/local/psa/admin/conf/templates/custom/
# vi /usr/local/psa/admin/conf/templates/custom/roundcube.php

I added the line you gave me after
SSLCertificateFile "<?php echo $ipAddress->sslCertificate->ceFilePath ?>"

To become:
SSLCertificateFile "<?php echo $ipAddress->sslCertificate->ceFilePath ?>"
SSLCACertificateFile "<?php echo $ipAddress->sslCertificate->caFilePath ?>"

Then I saved the file and did:
# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

(probably I did not need to reconfigure ALL, but I do not know how to reconfigure specifically the roundcube).

For me, the problem is resolved, but hopefully the bug report will fix it properly. I assume all they need to do to fix the bug is add the SSLCACertificate line into the default roundcube.php template



Thanks again!