Issue Multiple certificates

[Noturns]

Plesk v12.5.30_build1205150826.19
OS CentOS 6.8 (Final)

For my website i have bought and installed 2 separate single SSL-certificates for my domain.
Followed this tutorial https://kb.plesk.com/128054

• Enabled SSL support after certificates where installed

www - certificate
Plesk: The SSL certificate was successfully updated.
Assigned in "Hosting and
Browser: Works in browser.

webmail - certificate
Plesk: The SSL certificate was successfully updated.
Browser: Does not work in browser. "Your connection to this site is not private."

What i did:

• Refreshed browser cache
• Reinstalled webmail-certificate
• Restarted server
• Checked logs

As far as i can understand
SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

How can i resolve this issue?

 

[Lloyd_mcse]

Hi noturns,
by default webmail uses the default ssl certificate for the IP address (IIRC), you can edit your templates like so...

https://www.lloyd-day.me/secure-plesk-webmails/

I hope that's clear, any questions, post back.
Kind regards

Lloyd

 

[Noturns]

Hi noturns,
by default webmail uses the default ssl certificate for the IP address (IIRC), you can edit your templates like so...

https://www.lloyd-day.me/secure-plesk-webmails/

I hope that's clear, any questions, post back.
Kind regards

Lloyd

Good morning to you,

Actually i was reading this blog
http://wpguru.co.uk/2014/12/plesk-mail-ssl/

I have trouble understanding your suggestion because is fairly complex.
I'm not sure which option is better or does it not matter?

 

[Lloyd_mcse]

Hi Noturns,
the article you refer to only deals with the mail servers themselves (postfix, courier etc), but to change the webmail certificate you need to edit templates, so when you regenerate the apache/nginx configuration files the new certificate paths are enabled.
Like I said, any issues post back, always happy to help
Kind regards

Lloyd

 

[Noturns]

Hi Noturns,
the article you refer to only deals with the mail servers themselves (postfix, courier etc), but to change the webmail certificate you need to edit templates, so when you regenerate the apache/nginx configuration files the new certificate paths are enabled.
Like I said, any issues post back, always happy to help
Kind regards

Lloyd

Hi Lloyd

Question 1
Is it safe to put custom templates in a separate server folder?
For example?

/opt/psa/admin/conf/templates/custom/webmail-domain-a/
/opt/psa/admin/conf/templates/custom/webmail-domain-b/
/opt/psa/admin/conf/templates/custom/webmail-domain-c/

Question 2
And i have some questions (A-D) regarding the template code itself.
Would it be possible for you to explain this code for me? Thanks

<?phpif($OPT['ssl']):?>
ssl_ecdh_curve secp384r1;
ssl_dhparam  /etc/ssl/dh/RSA4096.pem;
ssl_certificate  /opt/psa/var/certificates/cert-name;
ssl_certificate_key  /opt/psa/var/certificates/cert-name;
ssl_client_certificate/opt/psa/var/certificates/ca-name;
ssl_session_timeout  5m;
ssl_session_cache shared:SSL:5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1TLSv1.2;
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate  /etc/ssl/ocsp/domainCA.pem;
resolver8.8.8.88.8.4.4valid=300s;
resolver_timeout10s;
add_header Strict-Transport-Security"max-age=31536000; includeSubDomains";
<?phpendif?>

A - How can i make this file and where does it corresponds to?

ssl_ecdh_curve secp384r1;

B - Next question i assume i could simply create a pem file as show below by following this tutorial https://www.digicert.com/ssl-support/pem-ssl-creation.htm

ssl_dhparam  /etc/ssl/dh/RSA4096.pem;

C - And in which sense is this pem file different than the above pem file?

ssl_trusted_certificate  /etc/ssl/ocsp/domainCA.pem;

D - Last question. Would you recommend all these ciphers? How do i know which cipher is needed for my SSL certificate?

ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

Looking forward in reading your reply.

 

[Lloyd_mcse]

Hi Noturns,

Question 1: No you can't do that unfortunately, you're stuck with one fully certified domain or multi-domain certificates. Though people have spoken about using domain.tld/webmail, but I haven't tried it.

Question 2:
a) No file needed for this, it's simply a directive.
b) Yeah you can simply create the dhparam (https://www.lloyd-day.me/creating-dh-parameters/)
c) This file should contain the intermediate and the root certificate of your webmail.domain.tld certificate.
In the case of RapidSSL, it would contain the RapidSSL SHA256 CA - G4, and the GeoTrust Primary Certification Authority certs.
d) It looks like I just copied that cipher suite from Qualys, I like...

ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

That may be too strict for many, but I find it does the job.
I hope that helps
Kind regards

Lloyd

 

[Noturns]

I hope that helps
Kind regards

Lloyd

Hi Lloyd,

Thanks for your clear answers.
If i understand you correctly with this solution all websites will eventually share the same certificate?

 

[Lloyd_mcse]

If i understand you correctly with this solution all websites will eventually share the same certificate?

Yes, the same certificate and domain. Like I said you could use a multi-domain certificate but they are quite expensive (the last time i checked).
No problem, happy to help
Kind regards

Lloyd

 

[Noturns]

I purchased a multi site certificate today and hoped it would ease the pain. Unfortunately i get the same result with webmail.
Suppose that users/webmasters cant get around this matter the way mail server certificates are handled.

As i have said i have purchased a single and i have tried but it's still fairly complex to handle for me as a beginner.
I will submit a feature request to automate such feature.

 

[Noturns]

Yes, the same certificate and domain. Like I said you could use a multi-domain certificate but they are quite expensive (the last time i checked).
No problem, happy to help
Kind regards

Lloyd

Dear Lloyd,

I also found this KB. Which it looks like a peace of cake. What's your opinion about that?
https://kb.plesk.com/en/123648

 

[Lloyd_mcse]

What's your opinion about that?

Well, that is essentially what we are doing, see section 5...

If yes, modify Plesk custom templates to make sure that settings are not overwritten after upgrade according to our documentation
Required files are horde.php and roundcube.php

Kind regards

Lloyd

 

[trialotto]

@Noturns,

One can also use the default config files to point to a specific SSL certificate: just do the following

1 - find the config file responsible (can be Nginx or Apache) and write down the ssl certificate location
2 - cd into the directory of the ssl certificate location
3 - find the location of the ssl certificate (for webmail) that has been bought and uploaded via the Plesk Panel
4 - in the directory, mentioned in point 2, "move" the original certificate (read: rename to a file with some extension like .bak)
5 - in the directory, mentioned in point 2, create a symlink, pointing to the location, as mentioned in point 3

and that should work like a charm. It is a whole lot easier and is also persistent across upgrades and updates.

Also note that one can use Nginx to act as a proxy, with the (bought) SSL certificate applying to all incoming connections (and the default certificate or some other certificate is applying for all traffic between Nginx and the proxied Apache server).

Again, the latter solution is a whole lot easier.

All of the above is to be seen as "food for thought", since details of the solution(s) are missing at this moment.

Nevertheless, it is good to think about it, before doing a whole lot of work, while a more obvious solution may be present.

Hope the above helps a bit.

Regards.....