• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

NGINX + SSL needs to be fixed.

T

TSCADFX

Basic Pleskian
Here's a couple problems I see with 11.5.30 Update #9 and nginx and ssl.

1 - /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php should be changed from:

Code: 
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>

to:

Code: 
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate        <?php echo $sslCertificate->caFilePath ?>;
    ssl_trusted_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>

2 - In order to comply with PCI compliance

Code: 
    ssl_protocols               SSLv2 SSLv3 TLSv1;
    ssl_ciphers                 HIGH:!aNULL:!MD5;


should be changed to:

Code: 
    ssl_protocols               SSLv3 TLSv1;
    ssl_ciphers                 RC4:HIGH:!MD5:!aNULL:!DH:!EDH;

3 - These changes should also be applied to /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php

4 - The server_name directive is not always being honored. Connecting to the server openssl s_client -connect <IP>:443 will often times use the default panel certificate instead of using the certificate located in /etc/nginx/plesk.conf.d/vhosts/domain.tld.conf. The server should only be using the panel certificate for webmail.* roundcube.webmail.* horde.webmail.* atmail.webmail.*.

5 - There should be an option for the domain to use a wildcard certificate for the subdomains listed above. Currently there's no possible way to achieve this. Additional nginx directives don't work because they are duplicates and therefore refused.

6 - Reconfiguring all domains /usr/local/psa/admin/bin/httpdmng --reconfigure-all, causes all certificates to be invalidated by nginx. To correct this the following article needs to be followed: http://kb.parallels.com/en/114984. This should not happen!

Can someone from Parallels please shed some light onto these issues and possibly forward this to development for resolution.

Thank you!
 
Last edited:
Could you elaborate why ssl_trusted_certificate should be used instead of ssl_client_certificate? Why sending CA certificates list to clients is bad?
 
ssl_client_certificate breaks the chain as the CA is not sent. ssl_trusted_certificate sends the CA and doesn't break the chain. ssl_client_certificate would appear to be correct because in theory it should be sending the list of certificates. The problem is, as stated above, that it's not working correctly. If you want to ensure that the ssl_client_certificate is sent as well we can just add the ssl_trusted_certificate. I've revised my first post.
 
i can confirm the issue... old domains created under plesk 11.0 worked, but domains created under 11.5.30 broke the chain...

i can confirm that copying
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
to
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

and adding
ssl_trusted_certificate <?php echo $sslCertificate->caFilePath ?>;

fixes the issue.
 
Florian_M said:
i can confirm the issue... old domains created under plesk 11.0 worked, but domains created under 11.5.30 broke the chain...

i can confirm that copying
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
to
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

and adding
ssl_trusted_certificate <?php echo $sslCertificate->caFilePath ?>;

fixes the issue.
Click to expand...

Also confirmed that this fixes the issue on 08/16/13 with Plesk 11.5.30.
 
What i find a bit depressing in this that
almost a month later
after 4 releases (11.5.30 Update #13, last updated at Aug 24, 2013 03:46 AM)
this is still not fixed in plesk

Thank you TSCADFX for the fix
sadly i thought I'm doing something wrong and spent abut 10 hours trying a few things .. never thought the software works incorrectly
 
To make things even worse, the overnight upgrade, which I don't believe has upgraded anything (there isn't a new version based on the history of changes, or the Panel version) broke the cert again, and I've had to do a /usr/local/psa/admin/bin/httpdmng --reconfigure-all in the morning
 
szisti said:
To make things even worse, the overnight upgrade, which I don't believe has upgraded anything (there isn't a new version based on the history of changes, or the Panel version) broke the cert again, and I've had to do a /usr/local/psa/admin/bin/httpdmng --reconfigure-all in the morning
Click to expand...

Use the f̶o̶r̶c̶e̶ custom templates as in Florian_M post.
 
Nikolay. said:
Use the f̶o̶r̶c̶e̶ custom templates as in Florian_M post.
Click to expand...

Hi Nikolay,

I've created a custom template and if i run the httpdmng it fixes the problem

diff /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
41a42
> ssl_trusted_certificate <?php echo $sslCertificate->caFilePath ?>;
45,46c46,47
< ssl_protocols SSLv2 SSLv3 TLSv1;
< ssl_ciphers HIGH:!aNULL:!MD5;
---
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphers RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
 
If anyone is looking to create a custom template in order to apply the changes to all domains on the account you can do so by visiting our blog post which has more detailed instruction on how to fix this. We also have many other suggestions for PCI compliance on Plesk if anyone is interested.

At the bottom of the Nginx configuration area you'll see the download for the custom file templates should you wish to use ours. Our version also fixes the PCI compliance issues as of 08/31/2013.

Here's the link: Hardening Plesk and PCI Compliance
 
Last edited:
TSCADFX said:
If anyone is looking to create a custom template in order to apply the changes to all domains on the account you can do so by visiting our blog post which has more detailed instruction on how to fix this. We also have many other suggestions for PCI compliance on Plesk if anyone is interested.

At the bottom of the Nginx configuration area you'll see the download for the custom file templates should you wish to use ours. Our version also fixes the PCI compliance issues as of 08/31/2013.

Here's the link: Hardening Plesk and PCI Compliance
Click to expand...

Thank you for sharing this
 
You must log in or register to reply here.

Similar threads

M
Question changed nginx ssl.conf
Replies
2
Views
969
moswak
M
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
1K
IgorG
IgorG
V
Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?
Replies
2
Views
1K
IgorG
IgorG
S
Resolved Cant enable HTTP2 support due to missing SSL certificate
Replies
1
Views
1K
Salvatore
S
Y
Issue Nginx disable tls v1.0
Replies
1
Views
1K
Bitpalast
Bitpalast
Back
Top