Issue certificate of VPS host still used after SSL configuration for newly added domain

[deepnpisgah]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

Plesk Obsidian 18.0.57.5

Hello, I am currently setting up a VPS on IONOS. I added several domains without issue configuring SSL. Subsequently PLESK asked for an update when logging into the terminal. I updated.


Product version: Plesk Obsidian 18.0.57.5
OS version: Ubuntu 22.04 x86_64
Build date: 2023/12/18 09:00
Revision: f86c7aa8227ed42a781f46a2fda344694f64a103

After that, when I add a new domain the PLESK generated SSL configuration uses the certificate of the VPS host. I think this is normal as there is no SSL certificate generated for the domain yet. But I don't know why it even generates the SSL sections though because I have not forced SSL on the host yet - but that's not my question...

Subsequently I go through the SSL configuration process and generate a certificate from Let's Encrypt. Everything in the admin gui show normal/good. I check the certificate in the directory

/opt/psa/var/certificates# openssl x509 -in /opt/psa/var/certificates/xxxxxxxxxx -text | egrep 'Issuer|Subject: CN| DNS'
Issuer: C = US, O = Let's Encrypt, CN = R3
Subject: CN = mydomain.com
CA Issuers - URI:http://r3.i.lencr.org/
DNS:mydomain.com, DNS:webmail.mydomain.com, DNS:www.mydomain.com

I finish all the configurations and check SSL from the link SSL Server Test: mydomain.com (Powered by Qualys SSL Labs)
The report shows the system is still using the certificate of the VPS host and not the newly configured domain certificate. Same is confirmed with curl which won't connect to hostname due to mismatch with certificate.

Checking all the .conf files (apache, nginx, webmail) I see that none have been updated since they were originally generated at domain creation.
In order to force an update and correct the problem I have to run plesk sbin httpdmng --reconfigure-domain mydomain.com and then finally the SSL configuration is corrected and the proper certificate is provided in the SSLCertificateFile and SSLCACertificateFile directives.

This seems like a bug to me, shouldn't PLESK perform this function after I have finished the SSL certificate configuration in the admin gui? This is absolutely repeatable.

thanks

 

[Peter Debik]

A webserver restart (or reload) is required to apply the new settings. Maybe the server restart interval was not yet over so that the restart was not yet done after the configuration change was done?

 

[deepnpisgah]

A webserver restart (or reload) is required to apply the new settings. Maybe the server restart interval was not yet over so that the restart was not yet done after the configuration change was done?

The documentation hints (strongly, as I read it...) that the configuration files are updated when the configuration is changed in the gui. The files were unchanged after the configuration was completed. I would expect the files are updated immediately so that when the next restart is done then they are applied.

Virtual Host Configuration Files

Configuration settings of each virtual host are stored in its configuration files in the /var/www/vhosts/system/ <...

docs.plesk.com

The system re-generates the configuration files after each change of virtual host configuration, for example, changing the hosting type of a domain. Therefore, if you edit httpd.conf and nginx.conf files manually, your changes will be lost after changing the virtual host settings in the Plesk UI. To avoid this, additional files are used to specify custom configuration for domains:

Wouldn't configuring SSL fall under 'after each change of virtual host configuration', and I don't find anywhere on the SSL configuration pages (nor in the docs) that a restart is needed for them to take effect. It sounds logical of course, but I assumed that's done under the covers by PLESK. I do know that when adding custom configuration (such as an include for passenger apps) that you have to restart apache. Although again, that's not documented on the page where that configuration is done.

I am going to add another domain now, and I will just try a restart of apache/nginx after SSL config. I doubt this works though as yesterday while figuring out the issue I restarted for domain multiple times to no effect.

 

[deepnpisgah]

I added a new domain and checked the conf files. They all show the certificate of the VPS host. I then performed the SSL configuration and checked the configuration files and none were updated. I next performed a restart of apache and nginx from the services console. Still no configuration files are changed and the server still provides the VPS host certificate when connecting with https.

curl -I -v https://mydomain.org

* Trying ##.##.##.###:443...
* Connected to mydomain.org (##.##.##.###) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /Users/mylocalhost/ssl/cacert.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=myvps-hostname_##-##-##-##.plesk.page
* start date: Jan 2 00:36:21 2024 GMT
* expire date: Apr 1 00:36:20 2024 GMT
* subjectAltName does not match mydomain.org
* SSL: no alternative certificate subject name matches target host name 'blueridgedarkway.org'
* Closing connection
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'mydomain.org'

 

[deepnpisgah]

Checking all the new configuration in https://......plesk.page:8443/modules/configurations-troubleshooter/index.php/index/list - timestamps are all at creation of domain, no changed since then.

I select and rebuild from the gui, Information: Reconfiguration success

Check all files and they are updated with proper certificate reference. A manual restart of services is not needed as curl immediately shows the correct certificate being used by the server. This suggests that the problem is not with restart of services but with triggering the rebuild of the files after making changes to the SSL configuration.