• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Possible to secure Plesk with Origin SSL?

JohnBee

JohnBee

Basic Pleskian
Server operating system version
Ubuntu 22.03
Plesk version and microupdate number
Latest
Having discovered the effect of Cloudflare's proxy DNS feature on the Plesk panel, I wondered if this could be accomplished using Cloudflare's Origin Certificate?

I tried creating a Cert and installing/securing Plesk under the Tools & Settings > SSL/RLS Certificates, but quickly discovered that Plesk didn't like that, as this resulted in terminating my sessions and resetting the admin password, every time I clicked a link in the interface.

And so I wanted to ask if there was anyone was successful in securing Plesk with Cloudflare's Origin SSL certificate?
 
Hi and thanks for the link.
As far as I can tell, the guide is intended for securing domains under Plesk, which I can confirm is working as intended, though what I'm asking is for Pkesk itself, and under the 'Secure Plesk' option.

PS, I did try to create a Cert and assign it to Plesk following the above mentioned method, but found the it would not work properly, and that this caused a host of issues. Which leads ms to question if it is even possible to assign a 3rd party SSL cert. to Plesk itself?
 
JohnBee said:
Which leads ms to question if it is even possible to assign a 3rd party SSL cert. to Plesk itself?
Click to expand...
This should not be an issue and should work just as well as an Let's Encrypt certificate.

Note that the Cloudflare's Origin SSL certificate is only supposed to be used when also using CF as a proxy. Using CF as proxy for the host name of your server however is not recommended! As you perhaps already discovered it can cause a whole range of issue. From issue's with email (CF does not allow for traffic over port 25 when in proxy) to trouble with accessing your server.
 
Hi and thanks for the comment.
I've decided to give it a try and see if I might get better results - this is a test server, and so no harm done

That said, I've accomplished thus far and have a question;

1. Created Origin SSL Cert under Cloudflare
2. Populated and Uploaded Cert under Tools > SSL /TLS Certificates
3. Confirmed Certificate in Certificate Pool

Following this and after assigning the Certificate to secure Plesk from the server pool, the connection, I get a website not secure error - your certificate is not valid. And in contrast with the same SSL Certificate type and process(CF Origin) applied to a hosted domain under Plesk, where everything works as expected,

Any ideas or suggestions as to what might be causing this?

PS. I have compared both the working and non-working certificate contents, as well as CF settings to be identical between both instances
 
If you are trying to access the plesk panel and getting that certificate error.

1. Create wildcard cloudflare origin certificate
2. install it on server - select it for secure plesk option
3. cloudflare ssl setting should be full or strict.
4. customize plesk login url from tools and settings - like plesk.domain.com and add this dns record to cloudflare. Enable proxy for this subdomain. You don't need to add this as domain/subdomain as website hosted on plesk.

Now login plesk.domain.com:8443 you should not see certificate error.

Do note cloudflare origin certificate is only recognized by cloudflare.
 
Just to update;

It has been over 24 hours since I've installed the CF Origin SSL/TLS Certificate onto Plesk
As I wanted to allow time to allow the changes to propagate.

That said and quite interestingly the certificate chain is still coming back invalid, as there remain a Let's Encrypt Element in the chain;




PS. the server is completely empty and all traces of Let's Encrypt have been removed from the Certificate pool, in-fact, I have removed the supporting plugin altogether - also the domain name and hash' in the screenshot have been changed for security measures
 
Last edited by a moderator:
Even though the Let's Encrypt certificates were removed from the system?

As for following procedures, the answer is yes. In fact I have since installed a new Plesk installation to rule out the potential interference from previous certificates, only to find the same behaviour taking place.

That said, I'm beginning to think, these particular Certificates may not compatible with Plesk in such applications(securing Plesk itself) - granted, they do appear to work just fine on hosted domains, though for some reason(unknown to me), they don't seem to work in securing Plesk itself.

PS. I remain hopeful that the Plesk support team can help in finding an explanation for this behaviour, as I have opened a ticket and request for help.
 
JohnBee said:
Even though the Let's Encrypt certificates were removed from the system?
Click to expand...
That correct. I can understand your confusion. CloudFlare however is using Let's Encrypt as a certificate authority for some their certificates completely independent of any Let's Encrypt certificate issued by Plesk for your server.

JohnBee said:
That said, I'm beginning to think, these particular Certificates may not compatible with Plesk in such applications(securing Plesk itself) - granted, they do appear to work just fine on hosted domains, though for some reason(unknown to me), they don't seem to work in securing Plesk itself.
Click to expand...
This should not be an issue. Though in your case it somehow isn't working. I'll note again however that using CloudFlare to secure Plesk it self is not recommended.

JohnBee said:
PS. I remain hopeful that the Plesk support team can help in finding an explanation for this behaviour, as I have opened a ticket and request for help.
Click to expand...
Let us know the outcome.
 
Hi and thanks for your ongoing help and interest in this matter.
That said, as I have; a domain, Plesk and Cloudflare test accounts, would you consider taking a look to see if you might identify something obvious?
I can provide SSH and Plesk and Cloudflare access.

PS. I extend an invitation to anyone who is willing to help with this
 
JohnBee said:
Hi and thanks for your ongoing help and interest in this matter.
That said, as I have; a domain, Plesk and Cloudflare test accounts, would you consider taking a look to see if you might identify something obvious?
I can provide SSH and Plesk and Cloudflare access.

PS. I extend an invitation to anyone who is willing to help with this
Click to expand...
Why not just contact Plesk Tech Support?
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
 
Hi IgorG, I opened a ticket with Plesk a few days ago on this, though the effort appears to have stalled.
That said, I've come-up with a new strategy, by applying a DV SSL Certificate, and in-hopes of narrowing other potential causes.

PS. the testserver is a throw-away, and so no worries in-terms of security etc
 
JohnBee said:
That said, I'm beginning to think, these particular Certificates may not compatible with Plesk in such applications(securing Plesk itself) - granted, they do appear to work just fine on hosted domains, though for some reason(unknown to me), they don't seem to work in securing Plesk itself.
Click to expand...

The ssl warnings shown by browser is because it's not from recognized certificate authority. Even if you use a self signed certificate or one issued by cloudflare for origin server, your data is still encrypted.

Plesk is still 'secure' with the cloudflare origin or self signed certificate. Secure means data transferred is encrypted not in plain text http, so you are safe from mitm attack.

There is no difference in ssl certificate issued for securing application like plesk or just a simple website/domain.
 
I wanted to update this thread, as many people do not bother to do so, and to provide the answer.
In short, the answer is 'No', in that it is not possible to secure Plesk itself with the Cloudlfare Origin SSL certificate;
according to the support article from Cloudflare it seems that the Cloudflare ssl is not supported on 3rd party servers when installed directly on the server:

Click to expand...

Not o be confused with securing Plesk domains with CloudFlare Origin Certificates, which can be done with ease.
But moreso, Plesk itself, so-as to put the entire Pesk server behind Cloudflare's SSL/TLS encryption

- hope this helps
 
You must log in or register to reply here.

Similar threads

C
Issue Cloudflare Origin SSL Zertifikate does work and protect
Replies
1
Views
159
cpulove
C
C
Question Plesk with Cloudflare Proxy DNS Records and Letsencrypt..
Replies
0
Views
189
cpulove
C
J.Wick
Resolved Plesk 18.0.61 Login Problem w/ Google Auth/MFA & Cloudflare
Replies
16
Views
2K
svehei
svehei
PrimeSites
Issue Server-wide backup invalidates SSL cert when deployed on back-up server
Replies
4
Views
743
PrimeSites
PrimeSites
michaeljoseph01
Question Trouble securing both plesk and email
Replies
1
Views
1K
Kaspar
K
Back
Top