• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

HSTS forced on websites

Pandur2000

Pandur2000

Basic Pleskian
Since I've installed and used Let's Encrypt, some of my websites always set HSTS on, even though it's not defined in the vhost.conf. I'm out of options as I searched every config file I could think of. THe problem with that is that the certificates installed are not valid for subdomains, also not for webmail.* and lists.*. Since webmail and mailman also forward to https, browsers deny loading the page because of HSTS certificate error. Any suggestions appreciated...
 
Oh my god, I am sorry for this stupid thread.
After I installed Let's Encrypt, the apache directive
Header always set Strict-Transport-Security"max-age=31536000; includeSubDomains"
was inserted to every vhost.conf of a domain which I enriched with a new SSL certificate from Let's Encrypt.
I deleted that lines, restarted apache - this should have done the trick, right?
No.
Chrome stores the HSTS status in it's own cache and obvioiusly doesn't update it from STRICT to n/a if the server setting has been changed.
SO, I was searching for hours and hours, until I tried Firefox - voila. Issue gone. Cleared Chrome cache - issue gone there as well.

The problem with Chrome is (also) that it checks the HSTS status of a domain, stores that in the cache and then redirects http requests to https automatically, no matter what.

Issue solved -.-.
 
You must log in or register to reply here.

Similar threads

M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
5K
MHC_1
M
M
Issue Let's Encrypt Bulk Domain Renewal
Replies
4
Views
1K
MacGyver
M
T
Issue Stop Plesk Brute Force Attacks NOW: Cloudflare + Windows Server Fix
Replies
0
Views
671
TheHostingHeroes
T
M
Question Simple question about Plesk backups
Replies
2
Views
765
msospc
M
E
Question Secure mail protocols while website on other server (A to a different IP)
Replies
4
Views
1K
easyware
E
Back
Top