• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Roundcube Webmail SSL

Oh yes, there was two ssl_certificate lines, I didn't notice I just copied and pasted. Thank you very much it's solved.
Do you know how to Enable TLS 1.2, I have seen your other post went through it but I don't get any idea. I have everything done but am seeing Protocol support rating as 70 in qualys.com

Kindly help.
 
Lovely, yeah you just need to change the ssl_protocols directive from..

Code: 
ssl_protocols               SSLv2 SSLv3 TLSv1;

to

Code: 
ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

Assuming your version of OpenSSL is capable.
Hope that helps mate.
Kind regards

Lloyd
 
Thank you Llyod

I am trying to remove the Session resumption (caching) error in the ssl test
when I put
ssl_session_cache shared:SSL:10m;

nginxvirtualdomainhost.php

and reconfigure all domains I get the following error:

Code: 
Details: [2014-08-04 21:47:21] ERR [util_exec] proc_close() failed
Error occured while sending feedback. HTTP code returned: 502
[2014-08-04 21:47:23] ERR [util_exec] proc_close() failed
Error occured while sending feedback. HTTP code returned: 502
[2014-08-04 21:47:24] ERR [panel] Apache config (14071681400.78077300) generation failed: Template_Exception: nginx: [alert] mmap(MAP_ANON|MAP_SHARED, 10485760) failed (28: No space left on device)
nginx: configuration file /etc/nginx/nginx.conf test failed

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
Error occured while sending feedback. HTTP code returned: 502
nginx: [alert] mmap(MAP_ANON|MAP_SHARED, 10485760) failed (28: No space left on device)
nginx: configuration file /etc/nginx/nginx.conf test failed

Also I saw your post about Strict Transport Security (HSTS) but doing the same I couldn't get success for my site.

Please help
 
Last edited:
Sorry haven't been able to log in.

You want to add it on all of your domains automatically yeah?

There are a couple of different templates you need to edit

/opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
and
/opt/psa/admin/conf/templates/default/server/nginxVhost.php
Click to expand...

so copy them to..

/opt/psa/admin/conf/templates/custom/domain
and
/opt/psa/admin/conf/templates/custom/server
Click to expand...

And then edit them.
You'll notice that we have kept the same folder structure as in the "Default" template folder.
Hope that helps
Kind regards

Lloyd
 
Thank you very much once again Lloyd.
It's working properly now. I got A+ finally.

but for the main domain the contents are saved in nginx_ip_default.conf and nginx_ip is blank with the message that it's generated automatically
the main domain doesn't produce postiive result for Strict Transport Security (HSTS)

but subdomains have the contents in nginx.conf

I am very grateful for your kind support.
 
Last edited:
In the case of HSTS, I've only added it to the webmail template so I can control it from the panel on a domain basis.

Plesk -> Domains -> domain.tld -> Webserver Settings -> Additional nginx directives
Click to expand...

Hope that helps

Kind regards

Lloyd
 
I had created domain and server folder and places the files in them and reconfigured all

when I try to update the SSL Certificate in my Admin panel I get the following error
Code: 
Unable to generate the web server configuration file on the host <server.mydomain.com> because of the following errors:

Template_Exception: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-7afbAI") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-7afbAI','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0

Please resolve the errors in web server configuration templates and generate the file again.
 
/domain/nginxDomainVirtualHost.php should look like this after editing

Code: 
<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                      5m;
    ssl_session_cache        shared:SSL:5m;
    ssl_prefer_server_ciphers               on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;   
    ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL;   
<?php   endif ?>
<?php endif ?>

And /server/nginxVhosts.php

Code: 
<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                      5m;
    ssl_session_cache        shared:SSL:5m;
    ssl_prefer_server_ciphers               on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;   
    ssl_ciphers                EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL;  
<?php   endif ?>
<?php endif ?>

Like that, as you want to be able to assign the correct certificate in Plesk for each domain.
 
I think I accidentally removed the file nginxDomainVirtualHost.php

New configuration files for the Apache web server were not created due to the errors in configuration templates: Template processing failed: file = /usr/local/psa/admin/conf/templates/default/nginxDomainVhostIpDefault.php, error = Template_Exception: Template domain/nginxDomainVirtualHost.php doesn't exists file: /usr/local/psa/admin/plib/Template/Processor.php line: 28 code: 0 Previous error: Template_Exception: Template domain/nginxDomainVirtualHost.php doesn't exists file: /usr/local/psa/admin/plib/Template/Finder.php line: 25 code: 0. Detailed error descriptions were sent to you by email. Please resolve the issues and click here to generate broken configuration files once again or here to generate all configuration files.

I don't know what I have done :D please help
 
That file contains...

nginxDomainVhostIpDefault.php
Code: 
<?php echo AUTOGENERATED_CONFIGS; ?>

<?php
/**
 * @var Template_VariableAccessor $VAR
 */
?>
<?php if ($VAR->domain->disabled): ?>
# Domain is disabled
<?php return ?>
<?php endif ?>

<?php if ($VAR->domain->physicalHosting->ssl): ?>
<?php foreach ($VAR->domain->physicalHosting->ipAddresses as $ipAddress): ?>
<?php if ($ipAddress->defaultDomainId == $VAR->domain->id): ?>

<?php echo $VAR->includeTemplate('domain/nginxDomainVirtualHost.php',
    array(
        'ssl' => true,
        'frontendPort' => $VAR->server->nginx->httpsPort,
        'backendPort' => $VAR->server->webserver->httpsPort,
        'documentRoot' => $VAR->domain->physicalHosting->httpsDir,
        'ipAddress' => $ipAddress,
        'default' => true,
    )) ?>

<?php endif ?>
<?php endforeach ?>
<?php endif ?>

<?php foreach ($VAR->domain->physicalHosting->ipAddresses as $ipAddress): ?>
<?php if ($ipAddress->defaultDomainId == $VAR->domain->id): ?>

<?php echo $VAR->includeTemplate('domain/nginxDomainVirtualHost.php',
    array(
        'ssl' => false,
        'frontendPort' => $VAR->server->nginx->httpPort,
        'backendPort' => $VAR->server->webserver->httpPort,
        'documentRoot' => $VAR->domain->physicalHosting->httpDir,
        'ipAddress' => $ipAddress,
        'default' => true,
    )) ?>

<?php endif ?>
<?php endforeach ?>
 
Hey Llyod thanks,

It had other options such as ssl_proto etc.. anyway I can get the file from plesk source.
 
Sorry I posted the wrong file.

/opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php

has..

Code: 
<?php
/**
 * @var Template_VariableAccessor $VAR
 * @var array $OPT
 */
?>
server {
    listen <?php echo $OPT['ipAddress']->escapedAddress . ':' . $OPT['frontendPort'] .
        ($OPT['default'] ? ' default_server' : '') . ($OPT['ssl'] ? ' ssl' : '') ?>;

    server_name <?php echo $VAR->domain->asciiName ?>;
<?php if ($VAR->domain->isWildcard): ?>
    server_name ~^<?php echo $VAR->domain->pcreName ?>$;
<?php else: ?>
    server_name www.<?php echo $VAR->domain->asciiName ?>;
<?php   if ($OPT['ipAddress']->isIpV6()): ?>
    server_name ipv6.<?php echo $VAR->domain->asciiName ?>;
<?php   else: ?>
    server_name ipv4.<?php echo $VAR->domain->asciiName ?>;
<?php   endif ?>
<?php endif ?>
<?php if ($VAR->domain->webAliases): ?>
<?php   foreach ($VAR->domain->webAliases as $alias): ?>
    server_name <?php echo $alias->asciiName ?>;
    server_name www.<?php echo $alias->asciiName ?>;
<?php   endforeach ?>
<?php endif ?>
<?php if ($VAR->domain->previewDomainName): ?>
    server_name "<?php echo $VAR->domain->previewDomainName ?>";
<?php endif ?>

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout         5m;

    ssl_protocols               SSLv2 SSLv3 TLSv1;
    ssl_ciphers                 HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
<?php   endif ?>
<?php endif ?>

<?php if (!empty($VAR->domain->physicalHosting->proxySettings['nginxClientMaxBodySize'])): ?>
    client_max_body_size <?php echo $VAR->domain->physicalHosting->proxySettings['nginxClientMaxBodySize'] ?>;
<?php endif; ?>

<?php if ($VAR->domain->physicalHosting->scriptTimeout): ?>
    proxy_read_timeout <?php echo $VAR->domain->physicalHosting->scriptTimeout; ?>;
<?php endif; ?>

    root "<?php echo $OPT['ssl'] ? $VAR->domain->physicalHosting->httpsDir : $VAR->domain->physicalHosting->httpDir ?>";
    access_log "<?php echo $VAR->domain->physicalHosting->logsDir . '/' . ($OPT['ssl'] ? 'proxy_access_ssl_log' : 'proxy_access_log') ?>";
    error_log "<?php echo $VAR->domain->physicalHosting->logsDir . '/proxy_error_log' ?>";

<?php echo $VAR->domain->physicalHosting->proxySettings['allowDeny'] ?>

<?php echo $VAR->includeTemplate('domain/service/nginxSeoSafeRedirects.php', array('ssl' => $OPT['ssl'])); ?>

    location / {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }

<?php if (!$VAR->domain->physicalHosting->proxySettings['nginxTransparentMode'] && !$VAR->domain->physicalHosting->proxySettings['nginxServeStatic']): ?>
    location /internal-nginx-static-location/ {
        alias <?php echo $OPT['documentRoot'] ?>/;
        add_header X-Powered-By PleskLin;
        internal;
    }
<?php endif ?>

<?php if ($VAR->domain->active && !$VAR->domain->physicalHosting->proxySettings['nginxTransparentMode']): ?>

<?php if ($VAR->domain->physicalHosting->php && $VAR->domain->physicalHosting->proxySettings['nginxServePhp']
            || $VAR->domain->physicalHosting->proxySettings['nginxServeStatic']): ?>

<?php if ($VAR->domain->physicalHosting->proxySettings['fileSharingPrefix']): ?>
    location ~ ^/<?php echo $VAR->domain->physicalHosting->proxySettings['fileSharingPrefix'] ?>/ {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }
<?php endif; ?>

<?php endif; ?>

<?php if ($VAR->domain->physicalHosting->proxySettings['nginxServeStatic']): ?>

    location @fallback {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }

<?php echo $VAR->includeTemplate('domain/service/nginxProtectedDirectories.php', $OPT); ?>

    location ~ ^/(.*\.(<?php echo $VAR->domain->physicalHosting->proxySettings['nginxStaticExtensions'] ?>))$ {
        try_files $uri @fallback;
    }
<?php endif ?>

<?php if ($VAR->domain->physicalHosting->php && $VAR->domain->physicalHosting->proxySettings['nginxServePhp']): ?>
    location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
        alias <?php echo $VAR->domain->physicalHosting->webUsersDir ?>/$1/$2;
<?php echo $VAR->includeTemplate('domain/service/fpm.php'); ?>
    }

    location ~ ^/~(.+?)(/.*)?$ {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }

    <?php echo $VAR->includeTemplate('domain/service/nginxWordpress.php'); ?>

    location ~ \.php(/.*)?$ {
<?php echo $VAR->includeTemplate('domain/service/fpm.php'); ?>
    }

    <?php echo $VAR->includeTemplate('domain/service/nginxWordpressIndexing.php'); ?>

    location ~ /$ {
        <?php echo $VAR->domain->physicalHosting->proxySettings['directoryIndex'] ?>
    }
<?php endif ?>

<?php endif ?>

<?php if (is_file($VAR->domain->physicalHosting->customNginxConfigFile)): ?>
    include "<?php echo $VAR->domain->physicalHosting->customNginxConfigFile ?>";
<?php endif; ?>
}

If you need it.

View attachment nginxDomainVirtualHost.zip
 
Hey Guys,

I figured I would just post this quick update to securing your webmail with your SSL certificate on your Plesk installation.

Step 1
Go to Server -> SSL Certificates
Add your SSL certificate here if you haven't already.

Step 2
Go to Server -> IP Addresses -> [your public IP]
Change the SSL certificate to the certificate you added in Step 1

Step 3
As per @KamalG add

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

To /etc/apache2/plesk.conf.d/roundcube.htaccess.inc somewhere after "RewriteEngine On"

Like so:
Plesk-Webmail-Force-SSL.png


That's it!
 
Last edited:
Nice solution.

But i think i gets difficult if you host more than one domain on a public IP. Hope this gets implementet soon :)

Regards,
Patrick
 
You must log in or register to reply here.

Similar threads

Brian-Dmac
Issue SSL error when main domain has been changed
Replies
2
Views
325
Brian-Dmac
Brian-Dmac
J
Question Please Help - Email server queries
Replies
5
Views
821
Kaspar@Plesk
Kaspar@Plesk
M
Question Convert the Roundcube database to separate SQLite databases
Replies
1
Views
450
Maarten
M
Z
Question mail.mydomain.com & webmail.mydomain.com ssl errors
Replies
4
Views
447
Zakky
Z
N
Question SSL on alias
Replies
1
Views
189
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top