Issue HSTS / cert error

[Jesse Bruffett]

I am running Plesk 12.5.x (fully updated) on ubuntu 14.04lts, I just added a new site and it is set in Wordpress to be an HTTP site NOT HTTPS but it only loads in HTTPS in chrome, safari, and Firefox. it gives the error that the cert name is incorrect and belongs to another site on the server. I have plenty of sites on the server that also HTTP only and don't exhibit this issue. I have disabled SSL support for the domain even though the cert was set to not specified. Any ideas how to disable HTST or fix this cert issue?

 

[UFHH01]

Hi Jesse Bruffett,

pls. check your settings at

=> HOME > Subscriptions > YOUR-DOMAIN.COM > Hosting settings


Pls. check for serverwide HSTS configurations with for example:

find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;
( or ! )
find /etc/httpd -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;

 

[Jesse Bruffett]

im uploading a screenshot of the hosting settings page, those commands return nothing.

 

[UFHH01]

Hi Jesse Bruffett,

the examples are just EXAMPLES, so pls. consider to be a bit creative, if they don't perfectly fit your needs and you need to find configuration files, which should help you to find possible configured redirects:

Additional examples:

find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "https" {} \;
( or ! )
find /etc/httpd -type f -name "*.conf" -exec grep --color -Hni "https" {} \;

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "https" {} \;

Additional examples, to find possible redirects inside domain specific configuration files:

find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;

find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "https" {} \;

find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "https://" {} \;

find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "rewrite" {} \;

find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "YOUR-DOMAIN.COM" {} \;

 

[Jesse Bruffett]

I found no references to HTST in any of the config files, the http.conf file for the site confirms the SSLEngine off, any ideas still? why is this just affecting 1 of 20 http only sites? and why when I try and open the site the ssl that is pulling is one for another site on the server? this doesn't make any sense.

 

[UFHH01]

Hi Jesse Bruffett,

well, if you didn't find the redirect in your configuration files, you have to inspect your content ( plugins ) and depending configuration files ( .htaccess - files, ... ) for possible redirect settings. I'm sorry that we can't help you further here, as we don't have access to your server to investigate the issue with modified "find" - queries.

 

[Jesse Bruffett]

I've checked the .htaccess file and there isn't anything there thats not in the others. the with the plugins is that I can't get into the Wordpress interface and start hunting the setting because I can't get into the site. it was setup as a dev site, then I changed the URL and used a plugin to change the links. I verified that all the links were changed via the database and that none of them are https.

 

[UFHH01]

Hi Jesse Bruffett,

pls. have a CLOSER look at my suggestion:

investigate the issue with modified "find" - queries.

You are able to change the given examples ( all the above examples look for *.conf - files ) and you are as well able to leave out such an option string, in order to be able to search within ALL files of your desired folder(s). Pls. see the manual for the "find" - command, in order to inform yourself about the enormous possible options, when you use the command "find" over your command line.

 

[Jesse Bruffett]

this is why I use plesk so I don't have to dig through linux .conf files. If I wanted to do that id use a classic apache2 environment. because of plesk nothing is in its proper place. I simply need to know how to turn off HTST for a specific domain. I tried generating a self signed cert, I know browsers will warn you about it but you can always push through and that still didn't fix this issue. what could cause one domain to pull a cert from another so that a generated self signed cert isn't being served but another domains cert is?

 

[Jesse Bruffett]

is there a simple way, via directives, to redirect all https traffic to http?

 

[UFHH01]

Hi Jesse Bruffett,

you will experience errors like "too many redirects", if you setup an additional redirect now from https to http, as you already have an existent redirect from http to https.

 

[Jesse Bruffett]

if I do have one, where in this mess of plesks config files is it?! where does this app store those settings on a per domain basis? I did discover Safari on iOS does not redirect, just desktop browsers.

 

[UFHH01]

Hi Jesse Bruffett,

if I do have one, where in this mess of plesks config files is it?!

As I already stated, your redirect doesn't necessarily have to be in your webserver configuration files and if you tested the "find" - examples above without any results, you can be pretty sure, that Plesk isn't at all responsible for your current redirect.

where does this app store those settings on a per domain basis?

Could you pls. explain, which "app" you mean? I'm a bit lost with this question, sorry.

 

[Jesse Bruffett]

where else could the redirect be except in the web server config files?

 

[UFHH01]

Hi Jesse Bruffett,

a nice website to test possible redirects is for example: => Redirect Checker | Check your Statuscode 301 vs 302 and as you can see, there are no redirects found for your URL, which again leads to the fact, that either plugins or depending configuration files of your content redirect from http to https.

 

[Jesse Bruffett]

Its not the site files. I removed all of them. cleared my cache and history, created a basic html page and it still tries to load https with the cert with the invalid name.

 

[UFHH01]

Hi Jesse Bruffett,

at the very moment, you just redirected to => http://dakerealestate.dev...... and I'm sorry to tell you, that I'm not able to investigate any further, if you keep on changing the content and the redirects.

 

[Jesse Bruffett]

I've been messing around with it and did a restore, that was the dev site, then moved it all to dakerealestate.com which is what its supposed to be. ill put it all back the way it should be to function give me 10 minutes and ill have it all put back together.

 

[RaHa]

I'm confussed! In Apache & nginx Settings for ... under Additional headers I set: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. A call to HSTS Preload List Submission works and I get this message:

I understand that preloading domain.tld through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate:
*.domain.tld
*.*.domain.tld
...
​

How can this work correctly? Under Plesk i have for each subdomain an extra cert from Let's Encrypt!
If I "Submit domain.tld to the HSTS preload list", will it possible to reach the subdomains?