Forwarded to devs General server certificate shown to clients with wrong e-mail address (of other user account) when clients look into SSL/TLS details

[Bitpalast]

Username: Peter Debik

TITLE

General server certificate shown to clients with wrong e-mail address (of other user account) when clients look into SSL/TLS details

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

CentOS 7.9, Obsidian latest MU

PROBLEM DESCRIPTION

The server uses a Let's Encrypt certificate for the server login URL
https://<hostname>:8443
That certificate was made out to the server's administrator email address
[email protected]

The certificate is selectable as the default certificate option in each customer account like
"Let's Encrypt certificate (other repository)"
When selected and checked against its content, it is the correct general server certificate that is being used for host protection.

But: When you go to the SSL/TLS settings, this certificate displays a false administrator email address in the top row where the "Let's Encrypt" certificate details are given (rightmost colum, "E-Mail Address"). It does not display the server administrator's email address who is actually responsible for managing this certificate, but it displays a seemingly random address of another user account like [email protected].

This does not influence the technical quality of the certificate, but it is a privacy issue, because now all users on the same system can see that a user with an email address [email protected] is also on the same system.

STEPS TO REPRODUCE

see problem description

ACTUAL RESULT

When selecting the general server certificate in a subscription and viewing SSL/TLS properties, a user's email address is displayed as the certificate owner.

EXPECTED RESULT

The server admin's address (who owns the server certificate) should be displayed.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[cepesh84]

Hello @Peter Debik!

Thank you for your post. Unfortunately, i couldn't reproduce it on test server. I've got no attributes in this case.
Please, contact our Support Contact Us. We need a more detailed look to your server configuration.

 

[mow]

Hello @Peter Debik!

Thank you for your post. Unfortunately, i couldn't reproduce it on test server. I've got no attributes in this case.

Then your test server apparently has other issues you really should fix.

Also, how did you get there? I see "Home > Extensions" at the top of the screenshot. When I go through Websites & Domains -> (any domain) SSL/TLS certificates, I see ... oh, actually I see the path of the previous major function I accessed, in this case "Mail > Email addresses". Another bug.

 

[Bitpalast]

Hello @Peter Debik!

Thank you for your post. Unfortunately, i couldn't reproduce it on test server. I've got no attributes in this case.
Please, contact our Support Contact Us. We need a more detailed look to your server configuration.

I was able to easily reproduce the same issue on all of our other hosts. You can see it like this:
1) Subscriptions > Select any subscription
2) "Websites & Domains" > "Hosting Settings"
3) Choose "other repository" certificate from the certificates drop down and "OK"
4) "Websites & Domains" > "SSL/TLS certificates"

 

[cepesh84]

@Peter Debik, yes i did the same things, but i've got different results. My results could be considered as expected behavior (we just don't show email of different person, which is good). So it would be great if i have an access to one of your servers which has a wrong behavior. Then we can understand a difference in configuration of my and your servers so we will have clear steps to reproduce. That is why i asked you to contact our support department.

 

[Bitpalast]

Ticket has been created, I'll send you the ticket ID in a private message.