• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue HSTS / cert error

Jesse Bruffett

New Pleskian
I am running Plesk 12.5.x (fully updated) on ubuntu 14.04lts, I just added a new site and it is set in Wordpress to be an HTTP site NOT HTTPS but it only loads in HTTPS in chrome, safari, and Firefox. it gives the error that the cert name is incorrect and belongs to another site on the server. I have plenty of sites on the server that also HTTP only and don't exhibit this issue. I have disabled SSL support for the domain even though the cert was set to not specified. Any ideas how to disable HTST or fix this cert issue?
 
Hi Jesse Bruffett,

pls. check your settings at

=> HOME > Subscriptions > YOUR-DOMAIN.COM > Hosting settings


Pls. check for serverwide HSTS configurations with for example:
Code:
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;
( or ! )
find /etc/httpd -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;
 
im uploading a screenshot of the hosting settings page, those commands return nothing.
 

Attachments

  • Screen Shot 2017-07-02 at 5.40.29 PM.png
    Screen Shot 2017-07-02 at 5.40.29 PM.png
    224.5 KB · Views: 4
Hi Jesse Bruffett,

the examples are just EXAMPLES, so pls. consider to be a bit creative, if they don't perfectly fit your needs and you need to find configuration files, which should help you to find possible configured redirects:

Additional examples:
Code:
find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "https" {} \;
( or ! )
find /etc/httpd -type f -name "*.conf" -exec grep --color -Hni "https" {} \;

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "https" {} \;

Additional examples, to find possible redirects inside domain specific configuration files:
Code:
find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "Strict-Transport-Security" {} \;
Code:
find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "https" {} \;
Code:
find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "https://" {} \;
Code:
find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "rewrite" {} \;
Code:
find /var/www/vhosts/system/YOUR-DOMAIN.COM/conf -type f -name "*.conf" -exec grep --color -Hni "YOUR-DOMAIN.COM" {} \;
 
I found no references to HTST in any of the config files, the http.conf file for the site confirms the SSLEngine off, any ideas still? why is this just affecting 1 of 20 http only sites? and why when I try and open the site the ssl that is pulling is one for another site on the server? this doesn't make any sense.
 
Hi Jesse Bruffett,

well, if you didn't find the redirect in your configuration files, you have to inspect your content ( plugins ) and depending configuration files ( .htaccess - files, ... ) for possible redirect settings. I'm sorry that we can't help you further here, as we don't have access to your server to investigate the issue with modified "find" - queries. :(
 
I've checked the .htaccess file and there isn't anything there thats not in the others. the with the plugins is that I can't get into the Wordpress interface and start hunting the setting because I can't get into the site. it was setup as a dev site, then I changed the URL and used a plugin to change the links. I verified that all the links were changed via the database and that none of them are https.
 
Hi Jesse Bruffett,

pls. have a CLOSER look at my suggestion:
investigate the issue with modified "find" - queries.
You are able to change the given examples ( all the above examples look for *.conf - files ;) ) and you are as well able to leave out such an option string, in order to be able to search within ALL files of your desired folder(s). :) Pls. see the manual for the "find" - command, in order to inform yourself about the enormous possible options, when you use the command "find" over your command line.
 
this is why I use plesk so I don't have to dig through linux .conf files. If I wanted to do that id use a classic apache2 environment. because of plesk nothing is in its proper place. I simply need to know how to turn off HTST for a specific domain. I tried generating a self signed cert, I know browsers will warn you about it but you can always push through and that still didn't fix this issue. what could cause one domain to pull a cert from another so that a generated self signed cert isn't being served but another domains cert is?
 
Hi Jesse Bruffett,

you will experience errors like "too many redirects", if you setup an additional redirect now from https to http, as you already have an existent redirect from http to https. :rolleyes:
 
if I do have one, where in this mess of plesks config files is it?! where does this app store those settings on a per domain basis? I did discover Safari on iOS does not redirect, just desktop browsers.
 
Hi Jesse Bruffett,

if I do have one, where in this mess of plesks config files is it?!
As I already stated, your redirect doesn't necessarily have to be in your webserver configuration files and if you tested the "find" - examples above without any results, you can be pretty sure, that Plesk isn't at all responsible for your current redirect. ;)

where does this app store those settings on a per domain basis?
Could you pls. explain, which "app" you mean? I'm a bit lost with this question, sorry. :(
 
Its not the site files. I removed all of them. cleared my cache and history, created a basic html page and it still tries to load https with the cert with the invalid name.
 
I've been messing around with it and did a restore, that was the dev site, then moved it all to dakerealestate.com which is what its supposed to be. ill put it all back the way it should be to function give me 10 minutes and ill have it all put back together.
 
I'm confussed! In Apache & nginx Settings for ... under Additional headers I set: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. A call to HSTS Preload List Submission works and I get this message:

I understand that preloading domain.tld through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate:
*.domain.tld
*.*.domain.tld
...
How can this work correctly? Under Plesk i have for each subdomain an extra cert from Let's Encrypt!
If I "Submit domain.tld to the HSTS preload list", will it possible to reach the subdomains?
 
Back
Top