• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Planel does not use the whole certificate chain

T

TobiasP

Regular Pleskian
I recently installed a new ssl certificate for my domain. I also installed 2 intermediate CA certificates. then I used the "secure panel" function so that the plesk panel uses this new certificate.
When I run a SSL check at http://www.sslshopper.com/ssl-checker.html it says that the certificate chain is broken because only the domain certificate is transmitted but not the intermediate CA. (rootchain.pem file seems not to be used by the plesk panel server)

Plesk 11.5.30 Update #13 on Debian 7.1

Please fix this bug.
 
Ok sorry,

Let's try this then.

nano /usr/local/psa/admin/conf/httpsd.pem

make sure that your certificate looks like this

Code: 
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Make any changes, save and restart Plesk.
 
Okay I though of trying this. But I have other Services using the httpd.pem File and the rootchain.pem File. (courier, postfix) Are there Problems to be expected when there are duplicste certificates? Also the httpd.pem File is autogenerated so I dont want to mess with it but rather change the config of the plesk panel Server to also use the rootchain.pem File.
 
I guess what I'm trying to determine here is if you setup the certificate correctly in the panel. I have multiple Plesk installs and all of them have SSL certificates securing the panels. I haven't seen this issue and I attempted to re-create the issue on a demo box we have and it installed the cert correctly.

To answer your question, the certificate file is just that, a file containing your certificate. Changing it won't effect anything and actually if you are referencing all of your services to use your control panel cert they should also fail ssl tests.

I'm not sure what you mean by duplicate certificates either. You can replicate the same certificate as many times as you want. Most all SSL certificates can even be installed on multiple machines.

Yes the file is auto generated but you can always, and should, keep a copy of the original by doing a cp command.

For securing the panel there shouldn't be a separate rootchain.pem or trusted root certificate. This should all be in the httpsd.pem. If you look at my previous post your httpsd.pem file should look just like the example I posted.
 
Thanks for trying to help my. Hopefully I can give you more information:
I have 2 Plesk Panel Servers this issue persists on both machines... Maybe I have made an mistake installing the certificate, but I did everything by the book. Uploaded my certificate under Certificate and Uploaded the intermediate CA and root CA under the second file upload.
After that I selected this certificate and used the secure panel function. At the first try this issued a "Template_Exception: Syntax error....." error. But only on one of the two servers. At the second try everything worked normally and I think this step produced the httpd.pem and rootchain.pem file under /opt/psa/admin/conf/.

Since pop3,imap,smtp do not use the panel certificate not even after you set a certificate corresponding to an IP Address under Tools & Resources->IP Addresses. (why should you do this anyway?)
I edited the config files "pop3d-ssl","imapd-ssl" under /etc/courier-imap/ and set the TLS_CERTFILE pointing to the httpd.pem and since this file is only (on my two servers) contains the private key and the certificate the TLS_TRUSTCERTS variable to the rootchain.pem file.
Same with postfix in the /etc/postfix/main.cf file with the "smtpd_tls_cert_file" and the "smtpd_tls_CAfile" variables.

With these settings I could verify with openssl that the SSL chain is working correctly with pop, imap and smtp.
Only the panel SSL is failing as it obviously only uses the httpd.pem file.

I'm curious why mine only contains my PK and Cert and not the intermediate CAs when yours contains everything...
Maybe the panel failed combining these two files together?
I grep'd the server for "rootchain.pem" and the file seems to be referenced in some files...a

By duplicates I meant if it would be a problem for courier, postfix if they load the httpd.pem file containing everything and then the rootchain.pem which also contains the certificate CAs.

Edit:
Another thing I just noticed:
When I try to access my panel under http://domain.tld:8443 it get the message "400 Bad Request The plain HTTP request was sent to HTTPS port" and it says "nginx" at the bottom, so I'm using it after all but not that I knew of....
 
Last edited:
Well if you are using Nginx, which by the way is enabled by default under 11.5+, then you might want to refer to the link that I posted as it's a known issue. The certificates aren't being sent with the CA, which is what you are describing.

The reason you got a 400 on the domain you listed is because you are using http not https.

Port 8443 is a SSL port for the panel. You can only use https when connecting to this port. If you attempt to connect to the port with http:// you'll throw the 400 error.
 
try a muliti domain certificate, there are even wildcard multi domain name ones now. or you can also look into SNI for installing more then one cert on a single IP. Thos multi domain ones are the way to go as more compatible with all the browsers and OSs. here is a list of some: http://www.ssltrust.com.au/multi-domain-ssl-certificates.html

TobiasP said:
I recently installed a new ssl certificate for my domain. I also installed 2 intermediate CA certificates. then I used the "secure panel" function so that the plesk panel uses this new certificate.
When I run a SSL check at http://www.sslshopper.com/ssl-checker.html it says that the certificate chain is broken because only the domain certificate is transmitted but not the intermediate CA. (rootchain.pem file seems not to be used by the plesk panel server)

Plesk 11.5.30 Update #13 on Debian 7.1

Please fix this bug.
Click to expand...
 
Pabloaus said:
try a muliti domain certificate, there are even wildcard multi domain name ones now. or you can also look into SNI for installing more then one cert on a single IP. Thos multi domain ones are the way to go as more compatible with all the browsers and OSs. here is a list of some: http://www.ssltrust.com.au/multi-domain-ssl-certificates.html
Click to expand...

why should this be of help in any way?
Plesk should load the CA's from the rootchain file. Period.
My workaround is to combine everything into the one file that plesk planel reads.
 
You must log in or register to reply here.

Similar threads

D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
625
deepnpisgah
D
J
Issue Can't Reload or Cancel Let's Encrypt SSL/TLS Certificate
Replies
11
Views
2K
artalva
artalva
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
690
Lenny
Lenny
AndyM
Question How to apply an SSL Let's Encrypt certificate to a custom port?
Replies
4
Views
3K
AndyM
AndyM
B
Resolved Cannot update SSL certificate used o port 8443 for plesk administration
Replies
6
Views
2K
bigcookie
B
Back
Top