Issue not properly redirect https://domain.tld:8443 to https://server.hostname.tld:8443 security errors

[Spirogg]

I am using a VPS
OS ‪CentOS Linux 7.7.1908 (Core)‬
Fresh Install of:
Product Plesk Obsidian
Version 18.0.19
The system is up-to-date. Checked on Sept 28, 2019 11:23 AM.


Iam having issues and can't get the redirect to show as secure in browsers?

I've read the support to add domain redirect and IP redirect to https://server.hostname:8443

But the issue is: If we do 301 redirect to https:// for a domain name, it gives us error page in browers that the website is not secure when trying to redirect to https://server.hostname.tld:8443 ??

If i go to the servers IP 1.2.3.4.5:8443 it redirects properly to https://server.hostname.tld:8443 with no error page and shows in browsers as secured site.

But only I get the problem with (not secure error page) when redirecting https://www.domain.tld:8443 to https://server.hostname.tld:8443 then browsers say not secure

How can we fix this please?


I am hoping Someone has a work around or has figure this out

Regards,
Spiro

 

[Ales]

Look at it this way:

at the moment the visitor requests the https://www.domain.tld:8443, their browser expects a response with a valid certificate for that address. Since one isn't provided by the server, the browser immediately displays a security warning.

Only after the warning has been dismissed by the customer, the browser actually reaches the https://www.domain.tld:8443 and only then can the redirect to https://server.hostname.tld:8443 take place.

As it is now, I see no way of circumventing this.

Plesk actually assigning proper certificates to https://www.domain.tld:8443 when a certificate for https://www.domain.tld exists would render this issue nonexistent, though.

There are two web servers involved but I see no technical reason why this functionality couldn't be provided. We regularly get baffled customers contacting our support in regards to this.

IMHO, as far as end user experience goes, this is one of the major omissions in Plesk. Right after the mail server SNI, which is now starting to get partially addressed...

 

[learning_curve]

...at the moment the visitor requests the https://www.domain.tld:8443, their browser expects a response with a valid certificate for that address. Since one isn't provided by the server, the browser immediately displays a security warning. Only after the warning has been dismissed by the customer, the browser actually reaches the https://www.domain.tld:8443 and only then can the redirect to https://server.hostname.tld:8443 take place

That ^^ is a great, informative summary of the situation faced by @Spirogg

If a somebody visits one of our hosted https://www.domain.tld:8443 urls (either by choice or by accident) they DO get a response with a valid certificate for that address, so there's no security warning. Consequently they are re-directed to https://server.hostname.tld:8443 without any warnings or problems. In our case, we originally asked Plesk support about the right re-direct method for this & then added this info to our own choice of using which SSL certificates and where. So, there are two different factors that allow these type of re-directs to happen securely for us:

a) The re-direct itself. This will work on all hosted domains:8443 (and works faultlessly for us)

set $test "0";
        if ( $host = '$hostname' ) {
        set $test "1";
        }
        if ( $test = "0" ) {
        rewrite ^/(.*)$ https://$hostname:8443/$1 permanent;
        }

which, is added to /etc/sw-cp-server/conf.d/plesk.conf. This is because it is still NOT possible for Plesk to block access to any-domain.tld:8443 as Plesk themselves have described HERE << This page in turn, links to this PAGE which is the same page that's quoted by @Spirogg in the opening post above.

b) The SSL Certificate. We use a Let's Encrypt, Multi-Domain / All Wildcard / SSL Certificate that covers both the host domain itself AND all of the hosted domains with wildcard status on all of them. It would usually be called a SAN (if / when purchased) but all of the Let's Encrypt certificates are free, so...

The actual reason for us choosing this specifc type of SSL certificate choice is related to something else, but these redirects were a happy additional plus. The downside, is that this certificate can only be re-newed manually and each domain's DNS must have two separate text references included (to permit verification by Let's Encrypt) at each renewal, so it's not perfection

.As it is now, I see no way of circumventing this. Plesk actually assigning proper certificates to https://www.domain.tld:8443 when a certificate for https://www.domain.tld exists would render this issue nonexistent, though. There are two web servers involved but I see no technical reason why this functionality couldn't be provided. We regularly get baffled customers contacting our support in regards to this.IMHO, as far as end user experience goes, this is one of the major omissions in Plesk. Right after the mail server SNI, which is now starting to get partially addressed...

Our current solution, as stated, is far from perfect, but it is secure and it does work perfectly. It's only really an option for you though @Spirogg IF you have, say less than 50 hosted domains (because the manual DNS verifcation job, every three months, would be become very irksome otherwise) and, that you're happy with a non-auto-renewal certificate in the first place, but meantime it works very well for us, whilst we all wait for Plesk to solve the problem properly

 

[Spirogg]

Thank you @Ales for your Summary of this issue.


and thank you @learning_curve for your solution, but I seem to not be able to get it working I have a few question below, if you can assist.

So, there are two different factors that allow these type of re-directs to happen securely for us:

a) The re-direct itself. This will work on all hosted domains:8443 (and works faultlessly for us)

set $test "0";
        if ( $host = '$hostname' ) {
        set $test "1";
        }
        if ( $test = "0" ) {
        rewrite ^/(.*)$ https://$hostname:8443/$1 permanent;
        }

which, is added to /etc/sw-cp-server/conf.d/plesk.conf.

This is because it is still NOT possible for Plesk to block access to any-domain.tld:8443 as Plesk themselves have described HERE << This page in turn, links to this PAGE which is the same page that's quoted by @Spirogg in the opening post above.

b) The SSL Certificate. We use a Let's Encrypt, Multi-Domain / All Wildcard / SSL Certificate that covers both the host domain itself AND all of the hosted domains with wildcard status on all of them. It would usually be called a SAN (if / when purchased) but all of the Let's Encrypt certificates are free, so...

The actual reason for us choosing this specifc type of SSL certificate choice is related to something else, but these redirects were a happy additional plus. The downside, is that this certificate can only be re-newed manually and each domain's DNS must have two separate text references included (to permit verification by Let's Encrypt) at each renewal, so it's not perfection Our current solution, as stated, is far from perfect, but it is secure and it does work perfectly. It's only really an option for you though @Spirogg

Hi thanks so much for your suggestion and code.
I am having a little problem making it work still.

a) I am a little stumped on the SSL certificate you said your using, "I am using Let's Encrypt Wild Card SSL that I enabled from Plesk" Is this not the same SSL Cert you are using?
- if not can you give me a link to the correct SSL cert so I can read how to obtain the same SSL you have from Let's Encrypt please.

b) I also tried to add the code as it is written to /etc/sw-cp-server/conf.d/plesk.conf.
1. Am I suppose to change to $hostname to somthing other than the whats in the code
or copy and paste it as is.

because I tried adding the code below in that file and I got errors when
Restarting: sw-cp-server and sw-engine services

- the code you gave me is below

set $test "0";
        if ( $host = '$hostname' ) {
        set $test "1";
        }
        if ( $test = "0" ) {
        rewrite ^/(.*)$ https://$hostname:8443/$1 permanent;
        }

C) PRIOR to your code I have followed directions in pleask support, "before your code was added"
Instructions were to create a z-plesk.conf file and add this code below for IP to hostname redirect

1. Connect to the server via SSH.
   
   
2. Create the /etc/sw-cp-server/conf.d/z-plesk.inc file:
   
   # touch /etc/sw-cp-server/conf.d/z-plesk.inc
   
   
3. Open the /etc/sw-cp-server/conf.d/z-plesk.inc file via any text editor and add the following rows to it:
   
   Note: change the "203.0.113.2" IP address to the correct Plesk IP address.
   
   Change the "hostname.com" website to the correct Plesk server hostname.
   

   if ($host ~ '203.0.113.2'){
   rewrite ^/(.*)$ https://hostname.com:8443/$1 permanent;
   }

4. Restart sw-cp-server and sw-engine services:
   
   # service sw-cp-server restart && service sw-engine restart

So is this file I've created maybe the issue that the code you gave me is not working ?
Do I delete the file z-plesk.conf and just add your code to plesk.conf ?
Or is it strictly that the SSL cert I have installed in plesk ( Let's Encrypt Wild Card SSL ) this SSL cert is the wrong one and my issue ?

Thank you for all the Help in advance,


Spiro

 

[learning_curve]

a) I am a little stumped on the SSL certificate you said your using, "I am using Let's Encrypt Wild Card SSL that I enabled from Plesk" Is this not the same SSL Cert you are using?

No. It's different. The SSL Certificate that we are using, to the best of our knowledge, cannot (yet) be generated using the Plesk Let's Encrypt extension. We use acme.sh which you can source from here: Neilpang/acme.sh

if not can you give me a link to the correct SSL cert so I can read how to obtain the same SSL you have from Let's Encrypt please

The link above is an applicatoin to generate the type of SSL Certificate you would need if you want to proceed with this.
It's an 'all CLI based' package, but all of the notes provided and a little patience make it very effective

b) I also tried to add the code as it is written to /etc/sw-cp-server/conf.d/plesk.conf.1. Am I suppose to change to $hostname to somthing other than the whats in the code
or copy and paste it as is, because I tried adding the code below in that file and I got errors when
Restarting: sw-cp-server and sw-engine services

There's no requirement to change anything. We use it exactly as we have posted it on here. Can you post the 'errors'? because it's not clear from the context, if you're referring to errors associated with /etc/sw-cp-server/conf.d/plesk.conf OR the errors (warnings) that your initial post was about.

C) PRIOR to your code I have followed directions in pleask support, "before your code was added"Instructions were to create a z-plesk.conf file and add this code below for IP to hostname redirect
Connect to the server via SSH.
Create the /etc/sw-cp-server/conf.d/z-plesk.inc file:
# touch /etc/sw-cp-server/conf.d/z-plesk.inc
Open the /etc/sw-cp-server/conf.d/z-plesk.inc file via any text editor and add the following rows to it:
Note: change the "203.0.113.2" IP address to the correct Plesk IP address.
Change the "hostname.com" website to the correct Plesk server hostname.

if ($host ~ '203.0.113.2'){
rewrite ^/(.*)$ https://hostname.com:8443/$1 permanent;
}

Restart sw-cp-server and sw-engine services:
# service sw-cp-server restart && service sw-engine restart

We didn't do this exactly as described in the method above, but we do use an identical file (/etc/sw-cp-server/conf.d/z-plesk.inc) with identical content, apart from it's our own IP and our own own hostname url instead of the data that's shown above. As you'll know already if you've tried it and as Plesk actually explain why on that very page, it's imposible to prevent the 'warnings' that occur, when initially re-directing from an IP address, not a URL

So is this file I've created maybe the issue that the code you gave me is not working? Do I delete the file z-plesk.conf and just add your code to plesk.conf?

No to the first question (because we're using both without issues) and no to the second as it's not the cause of your specific problem

Or is it strictly that the SSL cert I have installed in plesk (Let's Encrypt Wild Card SSL ) this SSL cert is the wrong one and my issue? Spiro

Yes, effectively See the very first part of this reply for the relevant info. It's NOT that the certificate that you have is wrong, it's that the certificate you have does NOT have sufficient content to cover this particular demand. Meaning... that despite it being a Let's Encrypt Wildcard Certificate and just as @Ales identified in his earlier post, it's only applicable to one domain (webserver) which isn't enough in this particular case. It's not a Let's Encrypt, Multi-Domain / All Wildcard / SSL Certificate, which is what we use, to achieve this type of re-direct. NB IF you have a large number of domains, then don't forget to consider in advance, the downside (manual certificate renewal process etc) that we mentioned last time, before doing this

Edit - At the time of posting this, we're still on Onyx 17.8.11, having tried Obsidian, but waiting to answer a few more questions first, before completely upgrading and switching over to Obsidian completely. The Obsidian setup for this area, might be different, it's probably not to be honest but...

 

[Spirogg]

Hi thanks for your answers,@Ales and @learning_curve

 

[learning_curve]

@Spirogg We're now running Obsidian, not Onyx, as the Obsidian GA release was made between us last posting on this thread and your post above. Everything does work exactly the same for us, with no problems, as we'd speculated in post #5 above but, there one change is required. Obsidian uses Advance Monitoring and Grafana extentions, which were not present in Onyx. Plesk support, very helpfully advised us that for both of these to work as intended, then the re-direct that we detailed in post #3 above, needs slightly enhancing. It is now as shown below and a) works just as it did in post3 for re-directs etc and both of the Advance Monitoring and Grafana extentions run perfectly.

set $test "0";
        if ( $host = '$hostname' ) {
          set $test "1";
        }
        if ( $host = '127.0.0.1' ) {
          set $test "1";
        }
        if ( $test = "0" ) {
          rewrite ^/(.*)$ https://$hostname:8443/$1 permanent;
        }

Other than that ^^ change, everything remains as we've posted previously if/when you've upgraded to Obsidian.

 

[Spirogg]

@Spirogg We're now running Obsidian, not Onyx, as the Obsidian GA release was made between us last posting on this thread and your post above. Everything does work exactly the same for us, with no problems, as we'd speculated in post #5 above but, there one change is required. Obsidian uses Advance Monitoring and Grafana extentions, which were not present in Onyx. Plesk support, very helpfully advised us that for both of these to work as intended, then the re-direct that we detailed in post #3 above, needs slightly enhancing. It is now as shown below and a) works just as it did in post3 for re-directs etc and both of the Advance Monitoring and Grafana extentions run perfectly.

set $test "0";
        if ( $host = '$hostname' ) {
          set $test "1";
        }
        if ( $host = '127.0.0.1' ) {
          set $test "1";
        }
        if ( $test = "0" ) {
          rewrite ^/(.*)$ https://$hostname:8443/$1 permanent;
        }

Other than that ^^ change, everything remains as we've posted previously if/when you've upgraded to Obsidian.

hi @learning_curve

thanks so much for the update , I am thinking this update is still using (The SSL Certificate. We use a Let's Encrypt, Multi-Domain / All Wildcard / SSL Certificate that covers both the host domain itself AND all of the hosted domains with wildcard status on all of them.) I will upgrade and try it out -

Quick Question - does it matter If I run php-fpm with nginx or php-fpm with apache ? should this not matter, just wondering because of the redirect ?

thanks again for updating to this post much much appreciated

 

[learning_curve]

...I am thinking this update is still using (The SSL Certificate. We use a Let's Encrypt, Multi-Domain / All Wildcard / SSL Certificate that covers both the host domain itself AND all of the hosted domains with wildcard status on all of them.)

Yes, that's correct. Although plenty of normal Let's Encrypt certificates are in use too.
As posted: We use acme.sh for this type of certificate and you can source the application from here: Neilpang/acme.sh

It's worth us mentioning that in our case and by choice, our Plesk Host FQDN is a sub-domain of our hosted domains let's call it my-domain.com This sub-domain is also the server's reverse dns (ptr record) etc etc.

So, again in our case, once the certificate is generated via acme.sh, we add it as a server pool certificate in here: sub-domain-my-domain.com:8443/admin/ssl-certificate/list then we make that the certificate for securing Plesk and mail, then, we use the 'Make Default' option and finally, we remove the previous server pool certificate that was in use for all of those functions (as was due to expire, so it was replaced etc).

Once all that's done we can visit any my-domain.com setup in Plesk and because it is a *Multi-Domain / All Wildcard / SSL Certificate that covers this domain (as well as others) we can see it - certificate name (other repository) and select it (if we want too) in both the Hosting Settings and the Mail settings for that my-domain.com itself. Or, we can continue to use the normal Let's Encrypt Certificate generated via the Plesk Extention and/or the SSL It Extention. Having said that, for the domain that has the sub-domain, that is the Plesk Host FQDN (see above) then yes, we always use the certificate name (other repository) by choice.

By generating the Multi-Domain / All Wildcard / SSL Certificate, the same certificate fully covers any of our hosted my-domain.com (public) AND my-domain.com:8443 (Plesk) urls but these are all re-directed to sub-domain-my-domain.com:8443 (main Plesk admin url) anyway (as you know from the previous posts in this thread) This final destination of course, is also covered by the same certificate. It does sound a bit over-complicated now we've typed it out, but if you do it and if you're not using a sub-domain as your Plesk Host FQDN / server ID etc then your own process might be a bit easier

Quick Question - does it matter If I run php-fpm with nginx or php-fpm with apache ? should this not matter, just wondering because of the redirect ?

We have never tested the difference to be honest, but all of this is all reliant on well set up DNS anyway, so routing via nginx or apache shouldn't make any difference we think