• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Multiple certificates

Noturns

Noturns

Regular Pleskian
Plesk v12.5.30_build1205150826.19
OS CentOS 6.8 (Final)

For my website i have bought and installed 2 separate single SSL-certificates for my domain.
Followed this tutorial https://kb.plesk.com/128054

  • Enabled SSL support after certificates where installed

gacqbwg.png


www - certificate
Plesk: The SSL certificate was successfully updated.
Assigned in "Hosting and
Browser: Works in browser.

webmail - certificate
Plesk: The SSL certificate was successfully updated.
Browser: Does not work in browser. "Your connection to this site is not private."

What i did:
  • Refreshed browser cache
  • Reinstalled webmail-certificate
  • Restarted server
  • Checked logs
As far as i can understand
SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

How can i resolve this issue?
 
Last edited:
Lloyd_mcse said:
Hi noturns,
by default webmail uses the default ssl certificate for the IP address (IIRC), you can edit your templates like so...

https://www.lloyd-day.me/secure-plesk-webmails/

I hope that's clear, any questions, post back.
Kind regards

Lloyd
Click to expand...

Good morning to you,

Actually i was reading this blog
http://wpguru.co.uk/2014/12/plesk-mail-ssl/

I have trouble understanding your suggestion because is fairly complex.
I'm not sure which option is better or does it not matter?
 
Hi Noturns,
the article you refer to only deals with the mail servers themselves (postfix, courier etc), but to change the webmail certificate you need to edit templates, so when you regenerate the apache/nginx configuration files the new certificate paths are enabled.
Like I said, any issues post back, always happy to help
Kind regards

Lloyd
 
Lloyd_mcse said:
Hi Noturns,
the article you refer to only deals with the mail servers themselves (postfix, courier etc), but to change the webmail certificate you need to edit templates, so when you regenerate the apache/nginx configuration files the new certificate paths are enabled.
Like I said, any issues post back, always happy to help
Kind regards

Lloyd
Click to expand...

Hi Lloyd

Question 1
Is it safe to put custom templates in a separate server folder?
For example?

Code: 
/opt/psa/admin/conf/templates/custom/webmail-domain-a/
/opt/psa/admin/conf/templates/custom/webmail-domain-b/
/opt/psa/admin/conf/templates/custom/webmail-domain-c/


Question 2
And i have some questions (A-D) regarding the template code itself.
Would it be possible for you to explain this code for me? Thanks

Code: 
<?phpif($OPT['ssl']):?>
ssl_ecdh_curve secp384r1;
ssl_dhparam  /etc/ssl/dh/RSA4096.pem;
ssl_certificate  /opt/psa/var/certificates/cert-name;
ssl_certificate_key  /opt/psa/var/certificates/cert-name;
ssl_client_certificate/opt/psa/var/certificates/ca-name;
ssl_session_timeout  5m;
ssl_session_cache shared:SSL:5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1TLSv1.2;
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate  /etc/ssl/ocsp/domainCA.pem;
resolver8.8.8.88.8.4.4valid=300s;
resolver_timeout10s;
add_header Strict-Transport-Security"max-age=31536000; includeSubDomains";
<?phpendif?>

A - How can i make this file and where does it corresponds to?
Code: 
ssl_ecdh_curve secp384r1;

B - Next question i assume i could simply create a pem file as show below by following this tutorial https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Code: 
ssl_dhparam  /etc/ssl/dh/RSA4096.pem;

C - And in which sense is this pem file different than the above pem file?
Code: 
ssl_trusted_certificate  /etc/ssl/ocsp/domainCA.pem;

D - Last question. Would you recommend all these ciphers? How do i know which cipher is needed for my SSL certificate?
Code: 
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;


Looking forward in reading your reply.
 
Last edited:
Hi Noturns,

Question 1: No you can't do that unfortunately, you're stuck with one fully certified domain or multi-domain certificates. Though people have spoken about using domain.tld/webmail, but I haven't tried it.

Question 2:
a) No file needed for this, it's simply a directive.
b) Yeah you can simply create the dhparam (https://www.lloyd-day.me/creating-dh-parameters/)
c) This file should contain the intermediate and the root certificate of your webmail.domain.tld certificate.
In the case of RapidSSL, it would contain the RapidSSL SHA256 CA - G4, and the GeoTrust Primary Certification Authority certs.
d) It looks like I just copied that cipher suite from Qualys, I like...

Code: 
ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;


That may be too strict for many, but I find it does the job.
I hope that helps
Kind regards

Lloyd
 
Last edited:
Noturns said:
If i understand you correctly with this solution all websites will eventually share the same certificate?
Click to expand...

Yes, the same certificate and domain. Like I said you could use a multi-domain certificate but they are quite expensive (the last time i checked).
No problem, happy to help
Kind regards

Lloyd
 
I purchased a multi site certificate today and hoped it would ease the pain. Unfortunately i get the same result with webmail.
Suppose that users/webmasters cant get around this matter the way mail server certificates are handled.

As i have said i have purchased a single and i have tried but it's still fairly complex to handle for me as a beginner.
I will submit a feature request to automate such feature.
 
@Noturns,

One can also use the default config files to point to a specific SSL certificate: just do the following

1 - find the config file responsible (can be Nginx or Apache) and write down the ssl certificate location
2 - cd into the directory of the ssl certificate location
3 - find the location of the ssl certificate (for webmail) that has been bought and uploaded via the Plesk Panel
4 - in the directory, mentioned in point 2, "move" the original certificate (read: rename to a file with some extension like .bak)
5 - in the directory, mentioned in point 2, create a symlink, pointing to the location, as mentioned in point 3

and that should work like a charm. It is a whole lot easier and is also persistent across upgrades and updates.

Also note that one can use Nginx to act as a proxy, with the (bought) SSL certificate applying to all incoming connections (and the default certificate or some other certificate is applying for all traffic between Nginx and the proxied Apache server).

Again, the latter solution is a whole lot easier.

All of the above is to be seen as "food for thought", since details of the solution(s) are missing at this moment.

Nevertheless, it is good to think about it, before doing a whole lot of work, while a more obvious solution may be present.

Hope the above helps a bit.

Regards.....
 
You must log in or register to reply here.

Similar threads

CobraArbok
Question Even with certificate, webmail is not secure.
Replies
3
Views
222
CobraArbok
CobraArbok
D
Issue can only create webmail certificates
Replies
1
Views
379
deepnpisgah
D
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
625
deepnpisgah
D
B
Resolved Shared hosting with multiple domains SSL/TLS issues
2
Replies
20
Views
2K
bork
B
W
Resolved SSL certificate error (multiple certificates)
Replies
9
Views
3K
webolot
W
Back
Top