• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Possible to secure Plesk with Origin SSL?

JohnBee

JohnBee

Basic Pleskian
Server operating system version
Ubuntu 22.03
Plesk version and microupdate number
Latest
Having discovered the effect of Cloudflare's proxy DNS feature on the Plesk panel, I wondered if this could be accomplished using Cloudflare's Origin Certificate?

I tried creating a Cert and installing/securing Plesk under the Tools & Settings > SSL/RLS Certificates, but quickly discovered that Plesk didn't like that, as this resulted in terminating my sessions and resetting the admin password, every time I clicked a link in the interface.

And so I wanted to ask if there was anyone was successful in securing Plesk with Cloudflare's Origin SSL certificate?
 
Hi and thanks for the link.
As far as I can tell, the guide is intended for securing domains under Plesk, which I can confirm is working as intended, though what I'm asking is for Pkesk itself, and under the 'Secure Plesk' option.

PS, I did try to create a Cert and assign it to Plesk following the above mentioned method, but found the it would not work properly, and that this caused a host of issues. Which leads ms to question if it is even possible to assign a 3rd party SSL cert. to Plesk itself?
 
JohnBee said:
Which leads ms to question if it is even possible to assign a 3rd party SSL cert. to Plesk itself?
Click to expand...
This should not be an issue and should work just as well as an Let's Encrypt certificate.

Note that the Cloudflare's Origin SSL certificate is only supposed to be used when also using CF as a proxy. Using CF as proxy for the host name of your server however is not recommended! As you perhaps already discovered it can cause a whole range of issue. From issue's with email (CF does not allow for traffic over port 25 when in proxy) to trouble with accessing your server.
 
Hi and thanks for the comment.
I've decided to give it a try and see if I might get better results - this is a test server, and so no harm done

That said, I've accomplished thus far and have a question;

1. Created Origin SSL Cert under Cloudflare
2. Populated and Uploaded Cert under Tools > SSL /TLS Certificates
3. Confirmed Certificate in Certificate Pool

Following this and after assigning the Certificate to secure Plesk from the server pool, the connection, I get a website not secure error - your certificate is not valid. And in contrast with the same SSL Certificate type and process(CF Origin) applied to a hosted domain under Plesk, where everything works as expected,

Any ideas or suggestions as to what might be causing this?

PS. I have compared both the working and non-working certificate contents, as well as CF settings to be identical between both instances
 
If you are trying to access the plesk panel and getting that certificate error.

1. Create wildcard cloudflare origin certificate
2. install it on server - select it for secure plesk option
3. cloudflare ssl setting should be full or strict.
4. customize plesk login url from tools and settings - like plesk.domain.com and add this dns record to cloudflare. Enable proxy for this subdomain. You don't need to add this as domain/subdomain as website hosted on plesk.

Now login plesk.domain.com:8443 you should not see certificate error.

Do note cloudflare origin certificate is only recognized by cloudflare.
 
Just to update;

It has been over 24 hours since I've installed the CF Origin SSL/TLS Certificate onto Plesk
As I wanted to allow time to allow the changes to propagate.

That said and quite interestingly the certificate chain is still coming back invalid, as there remain a Let's Encrypt Element in the chain;




PS. the server is completely empty and all traces of Let's Encrypt have been removed from the Certificate pool, in-fact, I have removed the supporting plugin altogether - also the domain name and hash' in the screenshot have been changed for security measures
 
Last edited by a moderator:
Even though the Let's Encrypt certificates were removed from the system?

As for following procedures, the answer is yes. In fact I have since installed a new Plesk installation to rule out the potential interference from previous certificates, only to find the same behaviour taking place.

That said, I'm beginning to think, these particular Certificates may not compatible with Plesk in such applications(securing Plesk itself) - granted, they do appear to work just fine on hosted domains, though for some reason(unknown to me), they don't seem to work in securing Plesk itself.

PS. I remain hopeful that the Plesk support team can help in finding an explanation for this behaviour, as I have opened a ticket and request for help.
 
JohnBee said:
Even though the Let's Encrypt certificates were removed from the system?
Click to expand...
That correct. I can understand your confusion. CloudFlare however is using Let's Encrypt as a certificate authority for some their certificates completely independent of any Let's Encrypt certificate issued by Plesk for your server.

JohnBee said:
That said, I'm beginning to think, these particular Certificates may not compatible with Plesk in such applications(securing Plesk itself) - granted, they do appear to work just fine on hosted domains, though for some reason(unknown to me), they don't seem to work in securing Plesk itself.
Click to expand...
This should not be an issue. Though in your case it somehow isn't working. I'll note again however that using CloudFlare to secure Plesk it self is not recommended.

JohnBee said:
PS. I remain hopeful that the Plesk support team can help in finding an explanation for this behaviour, as I have opened a ticket and request for help.
Click to expand...
Let us know the outcome.
 
Hi and thanks for your ongoing help and interest in this matter.
That said, as I have; a domain, Plesk and Cloudflare test accounts, would you consider taking a look to see if you might identify something obvious?
I can provide SSH and Plesk and Cloudflare access.

PS. I extend an invitation to anyone who is willing to help with this
 
JohnBee said:
Hi and thanks for your ongoing help and interest in this matter.
That said, as I have; a domain, Plesk and Cloudflare test accounts, would you consider taking a look to see if you might identify something obvious?
I can provide SSH and Plesk and Cloudflare access.

PS. I extend an invitation to anyone who is willing to help with this
Click to expand...
Why not just contact Plesk Tech Support?
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
 
Hi IgorG, I opened a ticket with Plesk a few days ago on this, though the effort appears to have stalled.
That said, I've come-up with a new strategy, by applying a DV SSL Certificate, and in-hopes of narrowing other potential causes.

PS. the testserver is a throw-away, and so no worries in-terms of security etc
 
JohnBee said:
That said, I'm beginning to think, these particular Certificates may not compatible with Plesk in such applications(securing Plesk itself) - granted, they do appear to work just fine on hosted domains, though for some reason(unknown to me), they don't seem to work in securing Plesk itself.
Click to expand...

The ssl warnings shown by browser is because it's not from recognized certificate authority. Even if you use a self signed certificate or one issued by cloudflare for origin server, your data is still encrypted.

Plesk is still 'secure' with the cloudflare origin or self signed certificate. Secure means data transferred is encrypted not in plain text http, so you are safe from mitm attack.

There is no difference in ssl certificate issued for securing application like plesk or just a simple website/domain.
 
I wanted to update this thread, as many people do not bother to do so, and to provide the answer.
In short, the answer is 'No', in that it is not possible to secure Plesk itself with the Cloudlfare Origin SSL certificate;
according to the support article from Cloudflare it seems that the Cloudflare ssl is not supported on 3rd party servers when installed directly on the server:

Click to expand...

Not o be confused with securing Plesk domains with CloudFlare Origin Certificates, which can be done with ease.
But moreso, Plesk itself, so-as to put the entire Pesk server behind Cloudflare's SSL/TLS encryption

- hope this helps
 
You must log in or register to reply here.

Similar threads

PrimeSites
Issue Server-wide backup invalidates SSL cert when deployed on back-up server
Replies
4
Views
441
PrimeSites
PrimeSites
michaeljoseph01
Question Trouble securing both plesk and email
Replies
1
Views
927
Kaspar
K
X
Question Issue/Renew Let's Encrypt certificate if site is behind cloudflare
Replies
8
Views
2K
Harun
Harun
B
Resolved secure Plesk hostname on port 8443 with an SSL certificate Let's Encrypt ERROR
Replies
2
Views
2K
Butcher
B
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
684
Lenny
Lenny
Back
Top