1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Can't remove SNI SSL from client subscription panel

Discussion in 'Plesk 11.x for Linux' started by AdelM, Aug 14, 2012.

  1. AdelM

    AdelM Basic Pleskian

    22
    90%
    Joined:
    Aug 14, 2010
    Messages:
    39
    Likes Received:
    1
    Am I doing something wrong ? Is it an known issue ? Is there a way to remove this certificate from the client's panel straight from Plesk ? Or should I follow the method used in this thread
    http://forum.parallels.com/showthread.php?t=209929

    Best Regards

    PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

    Version Parallels Plesk Panel v11.0.9_build110120608.16 os_Debian 6.0
    OS Debian 6.0.4
    Panel version 11.0.9 Update #8

    PROBLEM DESCRIPTION AND STEPS TO REPRODUCE

    I added an SSL certificate on a client's domain using SNI. We decided then to use a dedicated IP. When I want to delete this certificate from thes client supscription panel, I have the following error, Error: Unable to remove certificates: one or several certificates are assigned to the IP addresses/domains.

    ACTUAL RESULT

    EXPECTED RESULT

    ANY ADDITIONAL INFORMATION

    Succeded to add thes same certificate to the panel and bind it to the new IP in Home>Tools & Settings>IP addresses management>
     
  2. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    Deleting an SSL

    You need first to un-bind the SSL from the IP through Tools & Settings -> IP address -> click on the IP address -> give it a NONE or a different default SSL, then you can again try deleting it.
     
  3. AdelM

    AdelM Basic Pleskian

    22
    90%
    Joined:
    Aug 14, 2010
    Messages:
    39
    Likes Received:
    1
    Hi Abdi, thanks for your reply.

    I've already tried what you suggested but it doesn't work.

    I also tried this :

    - Un-bind the IP adress here Home>Tools & Settings>IP addresses management>
    - Uncheck "Enable SSL support" in client's subscription panel
    - remove SSL certificate in "SSL Certificates" in client's subscription panel

    Doesn't work.
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,543
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    You can try to use following workaround:

    mysql> select dom_id,certificate_id from hosting where dom_id=xxx;
    +--------+----------------+
    | dom_id | certificate_id |
    +--------+----------------+
    | xxx | yyy |
    +--------+----------------+

    mysql> update hosting set certificate_id=0 where dom_id=xxx;

    mysql> select dom_id,certificate_id from hosting where dom_id=xxx;
    +--------+----------------+
    | dom_id | certificate_id |
    +--------+----------------+
    | xxx | 0 |
    +--------+----------------+

    After that you will be able to remove certificate.
     
  5. AdelM

    AdelM Basic Pleskian

    22
    90%
    Joined:
    Aug 14, 2010
    Messages:
    39
    Likes Received:
    1
    Hi Igor

    It works. Thanks for your support.

    Best

    Adel
     
  6. AdelM

    AdelM Basic Pleskian

    22
    90%
    Joined:
    Aug 14, 2010
    Messages:
    39
    Likes Received:
    1
    After restarting apache this afternoon I got the following error:

    Syntax error on line 55 of /var/www/vhosts/mydomain.com/conf/13449678050.31729500_httpd_ip_default.include:
    SSLCertificateFile: file '/opt/psa/var/certificates/cert-sED6Ys' does not exist or is empty
    Action 'configtest' failed.
    The Apache error log may have more information.
    failed!


    Followed by two emails

    Unable to generate the web server configuration file on the host <myserver.com> because of the following errors:
    nginx: [emerg] SSL_CTX_use_certificate_chain_file("/opt/psa/var/certificates/cert-sED6Ys") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib)
    nginx: configuration file /etc/nginx/nginx.conf test failed

    Please resolve the errors in web server configuration templates and generate the file again.



    AND


    Unable to generate the web server configuration file on the host <myserver.com> because of the following errors:
    Syntax error on line 55 of /var/www/vhosts/mydomain.com/conf/13449678050.31729500_httpd_ip_default.include:
    SSLCertificateFile: file '/opt/psa/var/certificates/cert-sED6Ys' does not exist or is empty

    Please resolve the errors in web server configuration templates and generate the file again.



    cert-sED6Ys is the certificate I first added to the domain using SNI; I removed this certificate from the database thinking it's no more used.

    After these errors, I checked configuration file "13449678050.31729500_httpd_ip_default.include" and found that the certificate cert-sED6Ys were still used in domain instead of the certificate I add and bound to the IP.

    So I removed in domain configuration file the reference to cert-sED6Ys, Plesk complained about a misconfiguration and proposed me to reconfigure domains, after a while everything were back to normal.
    I checked again the domain config file, it's pointing to the right certificate files indicated in the database.
     
  7. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    Alright! That's good
     
  8. squarecandy

    squarecandy New Pleskian

    10
     
    Joined:
    Jan 23, 2013
    Messages:
    4
    Likes Received:
    0
    Thank you - this worked for me (setting the cert id to zero with mysql).
    Now isn't this a pretty major bug that needs to be reported? Once you've selected a certificate for a domain, you may not ever select "none" again only a different certificate. Therefore you can't go back from SNI to either no certificate at all or to using IP based certificate w/o this major hack.
     
Loading...