Issue Plesk Onyx / Let'sEncrypt

[CerdanS]

Hi everybody,

I installed and used Let's Encrypt with Plesk Onyx and it worked fine for maybe a month.

Since few days, my https://domain.com always works fine and is SSL secure...

But my webmail.domain.com gets security issue on chrome, firefox, edge...

Saying someone maybe try to hack me... not the issue in fact, I tried to add directives to nginx for secure (samedomain), since I removed those directives from nginx box from onyx, but it seems that's always in memory even after restart...

How to disable ssl for webmail, tried in plesk Onyx, default and all other tests, even desactivated Let's Encrypt, set all options on default (no ssl), but domain always try to go to https instead of http, so I'm unable since 48h to use my webmail...

Any idea to skip https and use http for webmail ? or maybe where should I take a look ?

In attachment 2 screen captures, one for https://domain.com (green, no problem), other for https://webmail.domain.com (red)...



I also added one screen capture of cert for rejected https...

I use roundcube as webmail, it worked until now.

Thanks a lot.

Cerdan

 

[IgorG]

Surely, the certificate signed for domain.com will not work on webmail.domain.com.
In scope of the Let'sEncrypt support improvements, we are going to include to certificate subdomains like webmail.domain.com, so certificate will be valid for domain and webmail.

 

[CerdanS]

Hi Igor, thanks for reply.

In fact some strange things, it already worked with (maybe more than a month), and Google Chrome and others displayed SSL connexion OK.

In fact I tried to secure from some code injections (sameorigin...) and paste code in NGINX section on server config in Onyx, since Webmail stopped to work... I removed this code and it stays now third day with security isue message and impossible to connect to webmail, maybe Google will take off message after few days ? but Firefox and Edge says same thing, so maybe problem comes from there. I also used an online tool to test server to see if it block code injections, maybe the tool tried and by testing for security issues blocked server... not sure from where it comes

My question is how to enable for webmail to access via http://webmail.domain.com and not via https://webmail.domain.com to continue to access my mails...

Thanks again for help.

 

[Bitpalast]

https:// is not the Plesk default setting, so it is difficult to tell what exactly is causing it on your system. http:// protocol is the default configuration to access webmail.* domains on Plesk servers. There is not specific setting for webmail.* to choose http:// or https://.

If your http:// requests are being redirected to https:// you have set a directive that tells the server to redirect all http:// traffic to https://. This could be the GUI > Your subscription > Websites & Domains > Hosting Settings "Permanent SEO-safe 301 redirect from HTTP to HTTPS", but it could also be an additional .conf file in /etc/httpd/conf/plesk.conf.d/webmails with a redirect instruction set like

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

You will need to identify what setting is causing the redirect and remove it if you don't want the redirect.

 

[CerdanS]

Hi Peter, thanks for reply.

It was on my .htaccess file, I've retired it, and it works now on firefox (http), on chrome don't know why it forces https... maybe chrome tests if https exists and by default go on https for a domain.

I see on Mozilla (can access now on http instead of https)...

Mozzila says :

webmail.domain.com use invalid certificate... (translate from french) The certificate is only valid for domain.com and www.domain.com
Error code : SSL_ERROR_BAD_CERT_DOMAIN

So I think it comes from there...

It worked for maybe a month, and it doesn't work anymore, option in Onyx/Let'sEnrypt exists to secure Webmail, so I'll let few days without and if it comes back to accept http on chrome, I'll try it again.

Thanks again for help.

Cerdan

 

[Christopher Pettet]

The simplest answer to this that I can give as it stands (with the webmail certification issue) is to put the protocol in the web address. In other words, instead of using https://webmail.<domain> use http://webmail.<domain> and then you will get to the site without any nagging warning and using the HTTP rather than HTTPS protocol. Just a word of caution, if you have set your site to use SSL by default and you do NOT put in the protocol then it will default to HTTPS so don't call using webmail.<domain> without specifying the protocol if you don't want the warnings.

 

[CerdanS]

Hi Christopher, thanks for reply, I was not at office few days, sorry for delay.

Yes I'll try, but since this morning, unable to access to PLESK... ssl certificate error (letsencrypt), so I cannot change anything, don't know how to disable SSL, because every web navigator reject my connection... In firefox for example "https://domain.com:8443" > Error code : SSL_ERROR_INTERNAL_ERROR_ALERT and if I try http pannel won't open asks for https... any idea maybe ? Thanks.

 

[CerdanS]

Update, I accessed to PLesk via other domain name (main from host, not my own... they provide an IDBOX.theirdomain.com:8443... so I can access. I'll try to disable SSL and get all things back to normal, maybe later I'll try again SSL...

 

[Christopher Pettet]

Can you SSH into your server? If you can and you have future issues (or even current) with connecting via the web interface, try using the Plesk repair tool to help sort things out. Also, until you get SSL sorted, you don't need to disable SSL, just make sure you can use either the HTTP or HTTPS protocol which I believe is accomplished by making sure there is no check in the "Permanent SEO-safe 301 redirect from HTTP to HTTPS" checkbox under your domain's hosting settings.

 

[layerwire]

Surely, the certificate signed for domain.com will not work on webmail.domain.com.
In scope of the Let'sEncrypt support improvements, we are going to include to certificate subdomains like webmail.domain.com, so certificate will be valid for domain and webmail.

Any dates? This feature is in suggest list since 2016.

 

[Bitpalast]

Q2 2017

 

[CerdanS]

Can you SSH into your server? If you can and you have future issues (or even current) with connecting via the web interface, try using the Plesk repair tool to help sort things out. Also, until you get SSL sorted, you don't need to disable SSL, just make sure you can use either the HTTP or HTTPS protocol which I believe is accomplished by making sure there is no check in the "Permanent SEO-safe 301 redirect from HTTP to HTTPS" checkbox under your domain's hosting settings.

Hi Christopher, many thanks for help. I found a solution directly by access to server with https://ID_SERVER.myserverprovider.com and it goes directly to login, after I disabled totally SSL tools and every SSL option, restarted server and actually use without SSL for few days, until Chrome forget this error, maybe I'll try again in few days.

I appreciate your mail, and time spent to try to help me. Thanks again.
Cerdan

 

[Christopher Pettet]

I've just reread your initial post and from what I understand, you are trying to use https on your site but NOT for webmail? Is this correct? If it is then I can tell you how to do this as I am running that exact same setup on 6 domains. If this is what you're looking to do, let me know and I'll tell you how do do it without any Apache or nginx rewrites or anything like that.