Username: Peter Debik
TITLE
General server certificate shown to clients with wrong e-mail address (of other user account) when clients look into SSL/TLS details
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
CentOS 7.9, Obsidian latest MU
PROBLEM DESCRIPTION
The server uses a Let's Encrypt certificate for the server login URL
https://<hostname>:8443
That certificate was made out to the server's administrator email address
[email protected]
The certificate is selectable as the default certificate option in each customer account like
"Let's Encrypt certificate (other repository)"
When selected and checked against its content, it is the correct general server certificate that is being used for host protection.
But: When you go to the SSL/TLS settings, this certificate displays a false administrator email address in the top row where the "Let's Encrypt" certificate details are given (rightmost colum, "E-Mail Address"). It does not display the server administrator's email address who is actually responsible for managing this certificate, but it displays a seemingly random address of another user account like [email protected].
This does not influence the technical quality of the certificate, but it is a privacy issue, because now all users on the same system can see that a user with an email address [email protected] is also on the same system.
STEPS TO REPRODUCE
see problem description
ACTUAL RESULT
When selecting the general server certificate in a subscription and viewing SSL/TLS properties, a user's email address is displayed as the certificate owner.
EXPECTED RESULT
The server admin's address (who owns the server certificate) should be displayed.
ANY ADDITIONAL INFORMATION
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
				
			TITLE
General server certificate shown to clients with wrong e-mail address (of other user account) when clients look into SSL/TLS details
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
CentOS 7.9, Obsidian latest MU
PROBLEM DESCRIPTION
The server uses a Let's Encrypt certificate for the server login URL
https://<hostname>:8443
That certificate was made out to the server's administrator email address
[email protected]
The certificate is selectable as the default certificate option in each customer account like
"Let's Encrypt certificate (other repository)"
When selected and checked against its content, it is the correct general server certificate that is being used for host protection.
But: When you go to the SSL/TLS settings, this certificate displays a false administrator email address in the top row where the "Let's Encrypt" certificate details are given (rightmost colum, "E-Mail Address"). It does not display the server administrator's email address who is actually responsible for managing this certificate, but it displays a seemingly random address of another user account like [email protected].
This does not influence the technical quality of the certificate, but it is a privacy issue, because now all users on the same system can see that a user with an email address [email protected] is also on the same system.
STEPS TO REPRODUCE
see problem description
ACTUAL RESULT
When selecting the general server certificate in a subscription and viewing SSL/TLS properties, a user's email address is displayed as the certificate owner.
EXPECTED RESULT
The server admin's address (who owns the server certificate) should be displayed.
ANY ADDITIONAL INFORMATION
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
 
 
		
 
 
		 
 
		