• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk, Nginx and SSL

Piggy2727

New Pleskian
I've installed Plesk 12.0.18 Update #18 on a Linux root server.
The domains SSL certificates are in their place but https is not working.
The certificates are configured via "Hosting settings".
The Google Chrome error message is ERR_CONNECTION_RESET.

/var/log/nginx/error.log says:

Code:
2014/10/17 18:56:46 [error] 23189#0: *23 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 46.128.XX.XXX, server: 81.169.XXX.XXX:443

As I can see httpd.conf and nginx.conf are okay.
Both configurations point to the cert file in /opt/psa/var/certificates/

access_ssl_log an proxy_access_ssl_log are empty.

Horde webmail connections over SSL aren't working either.
 
Just try to re-enable SSL support for the domain. This helps very often.
 
Hello,
I have the same problem with my pomain in plesk (12.0.18 Update #26, on Ubuntu 14.04.1 LTS). I have enabled SSL-usage and created a sef-signed certificate. It's assigned and plesk shows the info that it is used. But when I try to load the website over https then in nginx I have the same error like piggy2727. Enabling, disabling and reenabling SSL-usage does not help. Any ideas? :/ But plesk itself is working with ssl...
 
In /etc/nginx/plesk.conf.d/vhosts/@xxx.conf are the following definitions for ssl:

server {
listen 85.xxx.xxx.xxx:443 ssl;

server_name xxx.de;
server_name www.xxx.de;
server_name ipv4.xxx.de;

ssl_certificate /opt/psa/var/certificates/cert-4uznHW;
ssl_certificate_key /opt/psa/var/certificates/cert-4uznHW;
ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

client_max_body_size 128m;

root "/var/www/vhosts/xxx.de/httpdocs/public";
access_log "/var/www/vhosts/system/xxx.de/logs/proxy_ac
cess_ssl_log";
error_log "/var/www/vhosts/system/xxx.de/logs/proxy_err
or_log";

if ($host ~* ^www.xxx.de$) {
rewrite ^(.*)$ https://xxx.de$1 permanent;
}

location / {
proxy_pass https://85.xxx.xxx.xxx:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-locatio
n;
access_log off;
}

location /internal-nginx-static-location/ {
alias /var/www/vhosts/xxx.de/httpdocs/public/;
add_header X-Powered-By PleskLin;
internal;
}

}

So in my opinion the certificate is defined and it's in the correct folder, why the error and no https working?
 
Hi Marcel1,

first of all, I can see with your configuration, that your whole server is not secured against the "Poodle vulnerability". Please check these two links to solve this issue:




Afterwards, please consider updating your operating system ( with apt-get or yum ), so that your openssl package is up-to date for your server.
If you still experience issue, you might want to use the command:

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all

... to be sure, that all configuration - files are correctly configured and if this still doesn't help, you might want to use the bootstrapper repair procedure, which helps to correct quite a lot of misconfigurations:

/usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh repair

Sometimes it is as well a good idea to run the command "/usr/local/psa/admin/bin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base", just to be sure, that your Plesk software is updated and patched to the latest version.


If in any case you still experience issues, please have another look at your error - logs ...


... and consider as well some loglevel - changes in your configuration - files, to get some more detailled information in your error - logs afterwards.
 
So I did all the instructions and I have to say that I'm nearly a newby in webserver management - that's why I'm using Plesk and I'm thankful for every help!

Step 1) I loaded the script for linux that should deactivate the ssl 3.0 fallback, poodle shows now folling result:
85.xxx.xxx.xxx:21 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:587 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:443 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:465 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:7081 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:8443 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:993 - Not vulnerable. Failed to establish SSLv3 connection.
85.xxx.xxx.xxx:995 - Vulnerable! SSLv3 connection established using SSLv3/DHE-R
SA-AES256-SHA
So SSL is still possible for mail right? Is that correct?

Step 2) /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
Step 3) /usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh repair
Step 4) /usr/local/psa/admin/bin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

Even Restarted the Server, stopped nginx -> because I thought nginx aborted the request, but it was still aborted from apache2 (i think)

So Nothing changed
, how can i change the log level?

nginx error.log is still:
[error] 16144#0: *50 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 94.139.16.155, server: 85.xxx.xxx.xxx:443

In /etc/nginx/plesk.conf.d/vhosts/@xxx.conf are now the following definitions for ssl:
server {
listen 85.xxx.xxx.xxx:443 ssl;

server_name xxx.de;
server_name www.xxx.de;
server_name ipv4.xxx.de;

ssl_certificate /opt/psa/var/certificates/cert-4uznHW;
ssl_certificate_key /opt/psa/var/certificates/cert-4uznHW;
ssl_session_timeout 5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

client_max_body_size 128m;

root "/var/www/vhosts/xxx.de/httpdocs/public";
access_log "/var/www/vhosts/system/xxx.de/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/xxx.de/logs/proxy_error_log";

if ($host ~* ^www.xxx.de$) {
rewrite ^(.*)$ https://xxx.de$1 permanent;
}

location / {
proxy_pass https://85.xxx.xxx.xxx:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}

location /internal-nginx-static-location/ {
alias /var/www/vhosts/xxx.de/httpdocs/public/;
add_header X-Powered-By PleskLin;
internal;
}

}

What now? Did I forget something? :/
 
Hi Marcel1,

you could try to replace your several certificates ( Start > Tools & Settings > SSL-Certificate .... create new ones first ... ) and change the IP - based certificates afterwards ( Start > Tools & Settings > IP Adresses ). Afterwards you could delete non-used "old" certificates, just to clean up your system. When you finished with this, it might be as well a good idea to change the domain-specific certificates as well at: Start > Abonnements > YOURDOMAIN.COM > Websites & Domains > YOURDOMAIN.COM > SSL certficates
 
That didn't help. :(
In nginx error.log still the same error and in apache2 error.log:
[Thu Dec 04 16:20:41.059290 2014] [ssl:warn] [pid 29627] AH01909: RSA certificate configured for horde.webmail:443 does NOT include an ID which matches the server name
[Thu Dec 04 16:20:41.059430 2014] [ssl:warn] [pid 29627] AH01909: RSA certificate configured for lists:443 does NOT include an ID which matches the server name
[Thu Dec 04 16:20:41.059568 2014] [ssl:warn] [pid 29627] AH01909: RSA certificate configured for default-85_214_221_163:443 does NOT include an ID which matches the server name
[Thu Dec 04 16:20:41.059628 2014] [ssl:warn] [pid 29627] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

I don't want to reinstall plesk on the server and do all the configuration again - and I don't know if that would even help...
 
Https is working now. But I don't really know why. Maybe it was the Plek Update or the reconfiguration: /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
or /usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh repair I did after Plek update again.
 
Back
Top