Secure panel with Let's Encrypt

[-FP]

Hi,

I'm using the Let's Encrypt exstension for my domains and it works just fine.

The problem is that I can't use it to secure the plesk admin panel itself because apparently it can't verify the ownership of the domain.

Obviously, since it's an OVH vps under vpsXYZ.ovh.net and I can't control that.

Is there any workaround this?

 

[hardbrasil]

i am looking for this too. seams no solution by now.

 

[TomBoB]

our scenario:
servers orignal name as provided by bigservercompany was vpsXYZ.bigservercompany.com
our company however has it's own domain called owncompany.com

created in Plesk a subscription called server1.owncompany.com
and changed the hostname in Plesk to server1.owncompany.com

then emailed the bigservercompany where we got the server and asked to change the PTR record from
vpsXYZ.bigservercompany.com to
server1.owncompany.com
[make sure it is changed, and not added as a second PTR as that can cause trouble]

result: for all intents and purposes, the server is now properly called [FQDN] server1.owncompany.com and reachable by that name fromt the web - and you can generate a lets encrypt cert like so:
log into server again using server1.owncompany.com [still with ssl warning]
create let's encrypt certificate for the subdomain [which equals your servers FQDN]. tick "use for securing plesk" (or similar), don't tick "include www"
done

Hope it helps

[and having a proper PTR record also helps a lot to avoid trouble with email delivery ]

 

[trialotto]

@-FP and @hardbrasil

It is not that difficult.

First of all, the server name vpsXYZ.ovh.net is something that is related to PTR records, so it is barely relevant in this matter (and you should not mess with that).

Second, you can follow these steps:

a) take a domain that you own, by preference an unique domain: at the DNS management system of the registrar,

- create a subdomain, let´s use (for the sake of illustration) plesk.<domain>.<tld>
- create an A record for the subdomain, to point to the IP assigned to your server

and note that you can also use www.<domain>.<tld> (or even <domain>.<tld>), but I would recommend to use a subdomain.

The reason for the above is that Plesk Panel is rather indifferent about the domain name: the Plesk Panel can be reached via every URL of the form

https://<domain>.<tld>:8443/ OR https://<sub>.<domain>.<tld>:8443/

and the port 8443 actually does the trick: this port number in an URL will result in a redirect to the Plesk Panel, as long as the URL is pointing to the relevant IP of the server.

b) login to Plesk Panel and

- create a domain called <domain>.<tld>
- do not be bothered about notifications that "<domain>.<tld> does not resolve to ... IP" (or something similar)
- create a subdomain called plesk.<domain>.<tld>
- install the Plesk Let´s Encrypt extension (if you did not do this yet)
- go to the subdomain and click on the "Let´s Encrypt" icon and follow the suggested steps

and that is about it.

Well, almost, you can now access the Plesk Panel with the URL https://plesk.<domain>.<tld>:8443/, using a certificate provided by Let´s Encrypt.

So, it is secured with a certificate, but any other URL pointing to the IP assigned to the server will not use a https connection with (letsencrypt) certificates.

For that reason, a little of bit of "cheating" has to be done and this can actually be done in various ways, but only one of them will satisfy the objective: one secure URL for Plesk.

The required simple tweak of config files will be given in step c.

c) login with SSH and do

- run the command: vi /etc/sw-cp-server/config
- look for the line starting with the Nginx directive error_page
- replace the variable $hostname with plesk.<domain>.<tld>

and, afterwards, do not forget to restart the sw-cp-server (/etc/init.d/sw-cp-server restart on Centos/Rhel and service sw-cp-server restart on Ubuntu/Debian)

Note that you now have fixed the Plesk Panel to one unique URL: plesk.<domain>.<tld>

The above implies that, as long as the URL contains ":8443", all users can type what they want (http/https, all other domains pointing to the server).

In every case (with :8443 on the end of the URL), one gets redirected to the SECURE and UNIQUE Plesk Panel URL.

That is all..........


Hope the above helps!

Regards.....

 

[-FP]

I see. I tried doing steps a) and b) before reading this, but when browsing to the URL it would not work (Chrome displayed some security error), now reading this I suppose it didn't work because I have another Let's Encrypt certificate in <domain>.<tld>.

I guess that doing step c) will make it work.

Thanks everyone

 

[trialotto]

@-FP

I would "guess" that you should remove the letsencrypt certificate from the <domain>.<tld>

Technically speaking, it should not matter at all, but there are some pitfalls in Let´s Encrypt itself and the associated Plesk extension.

Just to be safe, I would suggest to remove the letsencrypt certificate from the top-level domain.

Regards....

 

[-FP]

@trialotto

But <domain>.<tld> is the domain of my website, I need it to be secured as well, how would that work?

 

[trialotto]

@-FP

That was what I tried to say with "an unique domain", as mentioned in step a).

That would prevent any conflict between sites and the main URL used for the Plesk Panel. By the way, it is not recommended to let those URLs coincide.

However, you can try to apply the letsencrypt certificate to both plesk.<domain>.<tld> and <domain>.<tld>, just see what happens!

If that does not work, I can still have a look at the possibility to use CLI tool for the letsencrypt extension, since that is somewhat more elaborate than the letsencrypt functions in Plesk.

Regards....

 

[trialotto]

@-FP

Forgot to tell you another little trick.

The previous steps hinted an approach to create an UNIQUE URL for Plesk Panel, but that might be inconvenient, if you want customers to log in with a personalized URL.

So, there is a little trick to creating a personalized URL to access the Plesk Panel: just do the following

a) create a subdomain in a domain, of which the customer gets a personalized URL. The subdomain is of the form <sub>.<customer´s domain>.<tld>

b) go to "Domain > [subdomain] > Apache & nginx Settings (click)" and add the following

location = /panel {
return 301 https://<sub>.<customer´s domain>.<tld>:8443;
}

to the "Additional Nginx Directives" textbox and press OK.

c) go to /etc/sw-cp-server/config and edit the line, starting with "error_page", to contain the $hostname variable (!), in order to allow multiple URLs to be redirected to Plesk Panel.


In short, you have just created a URL of the form

http://<sub>.<customer´s domain>.<tld>/panel OR https://<sub>.<customer´s domain>.<tld>/panel

that redirects customers to the Plesk Panel, but this time with <sub>.<customer´s domain>.<tld>, which can take any convenient notation.


The advantage of this approach is that you will able to let every customer have it´s own personalized URL for the Plesk Panel.

The disadvantage is that any other URL (with :8443 on the end), having an A record that points to the server, will also reach the Plesk Panel´s login page.


Anyway, the above might be useful.

Regards.......