• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Multiple certificates

Noturns

Regular Pleskian
Plesk v12.5.30_build1205150826.19
OS CentOS 6.8 (Final)

For my website i have bought and installed 2 separate single SSL-certificates for my domain.
Followed this tutorial https://kb.plesk.com/128054

  • Enabled SSL support after certificates where installed

gacqbwg.png


www - certificate
Plesk: The SSL certificate was successfully updated.
Assigned in "Hosting and
Browser: Works in browser.

webmail - certificate
Plesk: The SSL certificate was successfully updated.
Browser: Does not work in browser. "Your connection to this site is not private."

What i did:
  • Refreshed browser cache
  • Reinstalled webmail-certificate
  • Restarted server
  • Checked logs
As far as i can understand
SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

How can i resolve this issue?
 
Last edited:
Hi noturns,
by default webmail uses the default ssl certificate for the IP address (IIRC), you can edit your templates like so...

https://www.lloyd-day.me/secure-plesk-webmails/

I hope that's clear, any questions, post back.
Kind regards

Lloyd

Good morning to you,

Actually i was reading this blog
http://wpguru.co.uk/2014/12/plesk-mail-ssl/

I have trouble understanding your suggestion because is fairly complex.
I'm not sure which option is better or does it not matter?
 
Hi Noturns,
the article you refer to only deals with the mail servers themselves (postfix, courier etc), but to change the webmail certificate you need to edit templates, so when you regenerate the apache/nginx configuration files the new certificate paths are enabled.
Like I said, any issues post back, always happy to help
Kind regards

Lloyd
 
Hi Noturns,
the article you refer to only deals with the mail servers themselves (postfix, courier etc), but to change the webmail certificate you need to edit templates, so when you regenerate the apache/nginx configuration files the new certificate paths are enabled.
Like I said, any issues post back, always happy to help
Kind regards

Lloyd

Hi Lloyd

Question 1
Is it safe to put custom templates in a separate server folder?
For example?

Code:
/opt/psa/admin/conf/templates/custom/webmail-domain-a/
/opt/psa/admin/conf/templates/custom/webmail-domain-b/
/opt/psa/admin/conf/templates/custom/webmail-domain-c/


Question 2
And i have some questions (A-D) regarding the template code itself.
Would it be possible for you to explain this code for me? Thanks

Code:
<?phpif($OPT['ssl']):?>
ssl_ecdh_curve secp384r1;
ssl_dhparam  /etc/ssl/dh/RSA4096.pem;
ssl_certificate  /opt/psa/var/certificates/cert-name;
ssl_certificate_key  /opt/psa/var/certificates/cert-name;
ssl_client_certificate/opt/psa/var/certificates/ca-name;
ssl_session_timeout  5m;
ssl_session_cache shared:SSL:5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1TLSv1.2;
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate  /etc/ssl/ocsp/domainCA.pem;
resolver8.8.8.88.8.4.4valid=300s;
resolver_timeout10s;
add_header Strict-Transport-Security"max-age=31536000; includeSubDomains";
<?phpendif?>

A - How can i make this file and where does it corresponds to?
Code:
ssl_ecdh_curve secp384r1;

B - Next question i assume i could simply create a pem file as show below by following this tutorial https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Code:
ssl_dhparam  /etc/ssl/dh/RSA4096.pem;

C - And in which sense is this pem file different than the above pem file?
Code:
ssl_trusted_certificate  /etc/ssl/ocsp/domainCA.pem;

D - Last question. Would you recommend all these ciphers? How do i know which cipher is needed for my SSL certificate?
Code:
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;


Looking forward in reading your reply.
 
Last edited:
Hi Noturns,

Question 1: No you can't do that unfortunately, you're stuck with one fully certified domain or multi-domain certificates. Though people have spoken about using domain.tld/webmail, but I haven't tried it.

Question 2:
a) No file needed for this, it's simply a directive.
b) Yeah you can simply create the dhparam (https://www.lloyd-day.me/creating-dh-parameters/)
c) This file should contain the intermediate and the root certificate of your webmail.domain.tld certificate.
In the case of RapidSSL, it would contain the RapidSSL SHA256 CA - G4, and the GeoTrust Primary Certification Authority certs.
d) It looks like I just copied that cipher suite from Qualys, I like...

Code:
ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;


That may be too strict for many, but I find it does the job.
I hope that helps
Kind regards

Lloyd
 
Last edited:
If i understand you correctly with this solution all websites will eventually share the same certificate?

Yes, the same certificate and domain. Like I said you could use a multi-domain certificate but they are quite expensive (the last time i checked).
No problem, happy to help
Kind regards

Lloyd
 
I purchased a multi site certificate today and hoped it would ease the pain. Unfortunately i get the same result with webmail.
Suppose that users/webmasters cant get around this matter the way mail server certificates are handled.

As i have said i have purchased a single and i have tried but it's still fairly complex to handle for me as a beginner.
I will submit a feature request to automate such feature.
 
@Noturns,

One can also use the default config files to point to a specific SSL certificate: just do the following

1 - find the config file responsible (can be Nginx or Apache) and write down the ssl certificate location
2 - cd into the directory of the ssl certificate location
3 - find the location of the ssl certificate (for webmail) that has been bought and uploaded via the Plesk Panel
4 - in the directory, mentioned in point 2, "move" the original certificate (read: rename to a file with some extension like .bak)
5 - in the directory, mentioned in point 2, create a symlink, pointing to the location, as mentioned in point 3

and that should work like a charm. It is a whole lot easier and is also persistent across upgrades and updates.

Also note that one can use Nginx to act as a proxy, with the (bought) SSL certificate applying to all incoming connections (and the default certificate or some other certificate is applying for all traffic between Nginx and the proxied Apache server).

Again, the latter solution is a whole lot easier.

All of the above is to be seen as "food for thought", since details of the solution(s) are missing at this moment.

Nevertheless, it is good to think about it, before doing a whole lot of work, while a more obvious solution may be present.

Hope the above helps a bit.

Regards.....
 
Back
Top