Username:
TITLE
Potential bug - Inactive domains, Ssl It extension and Nginx SSL stapling warning
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: Plesk Obsidian 18.0.49.2
OS version: Ubuntu 18.04 x86_64
Build date: 2023/01/10 23:00
Revision: c825df0ebc392580c3443ca51b28c6cb88be266d
PROBLEM DESCRIPTION
Error notification received by mail, notification of the kind :
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/opt/psa/var/certificates/xxxxxxxx
Certificates are associated with
a - domains and on a specific server, with DNS pointing to (the domain on another) server,
b - subdomains and on a specific server, with DNS pointing to (the subdomain on another) server,
c - domains and subdomains that are
c.1 - active, (OR)
c.2 - suspended.
BUG 1 : Ssl IT not available on suspended domains, causing various issues - see above
BUG 2 - potential : Ssl IT not working properly with respect to OCSP stapling - see above
WORKAROUND 1 : disable domain
WORKAROUND 2 : follow procedure in https://support.plesk.com/hc/en-us/...issuer-certificate-not-found-for-certificate-
NOTE : workaround 2 is not really nice, since it has to be done manually for individual domains
REMARKABLE : no error notifications by mail of the nginx: [warn] "ssl_stapling" ignored kind when a domain is disabled, as opposed to suspended or active!
STEPS TO REPRODUCE
A - STR - BUG 1 :
A.1 - just suspend a domain
A.2 - open a browser with https://[FQDN-servername]/smb/ssl-certificate/list/id/XX of the offending domain
A.3 - try to open a new tab in the browser with
https://[FQDN-servername]/modules/sslit/index.php/index/certificate/id/XX
and conclude that one
A.4 - is returned to : https://[FQDN-servername]/smb/web/view
A.5 - receives error notification : ! Error. Domain .... is not active. SslIt extension is not available.
A.6 - can NOT use WORKAROUND 2 on domains or subdomains (located on another server), UNLESS the domain is active (read: not suspended or disabled)
B - STR - BUG 2 :
B.1 - create a domain with a subdomain on a source server and point DNS to the source server
B.2 - on the source server, install Let's Encrypt for both the domain and subdomain - with OCSP stapling
B.3 - migrate the domain and subdomain from the source server to a target server
B.4 - point DNS for the subdomain to the target server
B.5 - manually install an old and expired SSL certificate on the subdomain
B.6 - suspend the subdomain on the target server
B.7 - try to get the SSL certificate refreshed : this will not work on both the target and source server
ACTUAL RESULT
See STR
EXPECTED RESULT
It should be possible to renew SSL certificates of domains and subdomains when
1 - the domains or subdomains are suspended
2 - a subdomain (for instance a backup domain or a development / staging environment) is on another server
It should also NOT be necessary to manually switch on/off OCSP stapling, as mentioned in workaround 2.
ANY ADDITIONAL INFORMATION
Please note that I did not have much time to investigate this issue.
There is another issue that is of much more importance........ traffic aiming at ports 7080 and 7081.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Potential bug - Inactive domains, Ssl It extension and Nginx SSL stapling warning
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: Plesk Obsidian 18.0.49.2
OS version: Ubuntu 18.04 x86_64
Build date: 2023/01/10 23:00
Revision: c825df0ebc392580c3443ca51b28c6cb88be266d
PROBLEM DESCRIPTION
Error notification received by mail, notification of the kind :
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/opt/psa/var/certificates/xxxxxxxx
Certificates are associated with
a - domains and on a specific server, with DNS pointing to (the domain on another) server,
b - subdomains and on a specific server, with DNS pointing to (the subdomain on another) server,
c - domains and subdomains that are
c.1 - active, (OR)
c.2 - suspended.
BUG 1 : Ssl IT not available on suspended domains, causing various issues - see above
BUG 2 - potential : Ssl IT not working properly with respect to OCSP stapling - see above
WORKAROUND 1 : disable domain
WORKAROUND 2 : follow procedure in https://support.plesk.com/hc/en-us/...issuer-certificate-not-found-for-certificate-
NOTE : workaround 2 is not really nice, since it has to be done manually for individual domains
REMARKABLE : no error notifications by mail of the nginx: [warn] "ssl_stapling" ignored kind when a domain is disabled, as opposed to suspended or active!
STEPS TO REPRODUCE
A - STR - BUG 1 :
A.1 - just suspend a domain
A.2 - open a browser with https://[FQDN-servername]/smb/ssl-certificate/list/id/XX of the offending domain
A.3 - try to open a new tab in the browser with
https://[FQDN-servername]/modules/sslit/index.php/index/certificate/id/XX
and conclude that one
A.4 - is returned to : https://[FQDN-servername]/smb/web/view
A.5 - receives error notification : ! Error. Domain .... is not active. SslIt extension is not available.
A.6 - can NOT use WORKAROUND 2 on domains or subdomains (located on another server), UNLESS the domain is active (read: not suspended or disabled)
B - STR - BUG 2 :
B.1 - create a domain with a subdomain on a source server and point DNS to the source server
B.2 - on the source server, install Let's Encrypt for both the domain and subdomain - with OCSP stapling
B.3 - migrate the domain and subdomain from the source server to a target server
B.4 - point DNS for the subdomain to the target server
B.5 - manually install an old and expired SSL certificate on the subdomain
B.6 - suspend the subdomain on the target server
B.7 - try to get the SSL certificate refreshed : this will not work on both the target and source server
ACTUAL RESULT
See STR
EXPECTED RESULT
It should be possible to renew SSL certificates of domains and subdomains when
1 - the domains or subdomains are suspended
2 - a subdomain (for instance a backup domain or a development / staging environment) is on another server
It should also NOT be necessary to manually switch on/off OCSP stapling, as mentioned in workaround 2.
ANY ADDITIONAL INFORMATION
Please note that I did not have much time to investigate this issue.
There is another issue that is of much more importance........ traffic aiming at ports 7080 and 7081.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug