Question Setting SSL Security Certificate

[pandpan]

Hello,

So i am under Hosting Settings for "Domain name"

I have 2 certificates, One self signed (The one that came with the server) and one certified (which i set up)

I set it to the certified one, but the server still uses the self signed one.

What can I do to fix this issue? I have already tried toggling between the two..

 

[Bitpalast]

Have you waited for the server to restart (restart interval)?

 

[pandpan]

Sorry, I don't quite follow.

When you say that, Do you mean a full restart of the linux-box? Or is there a restart option in plesk?

 

[Bitpalast]

When you make changes to the web server configuration, the web server configuration must be reloaded (graceful restart) or the web server must be restarted (restart). Else, the configuration changes will not be applied. When you install or switch a certificate, the web server will automatically reload/restart, but it will only do it once every n seconds. That restart interval can be configured in the Apache web server configuration settings in Tools & Settings. It is there to avoid frequent restarts of the web server. So if you change the certificate and the minimum restart interval has not expired from a previous reload/restart, you must wait a while until the new configuration is applied. For that reason it is possible that a certificate change is not reflected on a test immediately. However, you can manually restart the web server (httpd service) from Tools & Settings services link before the restart interval expires.

 

[pandpan]

I have been waiting for about an hour now, So i decided to do a restart of the linux-box. Afterwards It is still not using the selected SSL.

Is there a log or something I can send you?

 

[Bitpalast]

We should first make sure that the server is really delivering a wrong certificate, because it is also possible that this is a local issue with the web browser or a cache or a local proxy server.
Please test the SSL connection to your website using this: https://www.ssllabs.com/ssltest/ and take a look at the results (click on the IP address displayed in the results for details).

 

[pandpan]

Hello,

Yes its confirmed. the server is using the original self signed SSL(ns509291.ip-167-114-100.net), not the one i created. (grayles.net)

 

[Bitpalast]

Next step is to find out whether the certificate file content is wrong or whether the certificate filename in web server configuration files is pointing to a wrong certificate:

1) Identify the filename of the certificate file that is referenced in webserver configuration file:
# grep SSLCertificateFile /var/www/vhosts/system/DOMAIN.TLD/conf/httpd.conf
Replace "DOMAIN.TLD" with your domain.

2) Check if the certficate file identified in (1) is the right one for DOMAIN.TLD:
# openssl x509 -in /usr/local/psa/var/certificates/CERTFILE -text | grep DNS:
Replace CERTFILE with the filename that you identified in step (1).

Does (2) return the expected domain name of DOMAIN.TLD? Please make sure, that you are always using the same domain representation, e.g. when your certificate is only for the non-www type DOMAIN.TLD, then test against DOMAIN.TLD only. If you have been testing www.DOMAIN.TLD, your certificate must either include a wildcard *.DOMAIN.TLD or www.DOMAIN.TLD.

 

[pandpan]

Hello! Thank you once again.

My Site is: grayles.net

1) It returns /opt/psa/var/certificates/cert-ebfNnW

2) It returns: DNS:grayles.net, DNS: www.grayles.net

 

[Bitpalast]

Please verify that this command returns the cert-ebfNnW filename as output:
# grep ssl_certificate /var/www/vhosts/system/DOMAIN.TLD/conf/nginx.conf

Then please run
# nginx -t
Are syntax test and configuration file test both OK?

Edit (changed from apache -t to apachectl -t): #apachectl -t
Does this return "Syntax OK", too?

 

[pandpan]

1) returns two lines -
--- ssl_vertificate /opt/psa/var/certificates/cert-ebfNnW;
--- ssl_vertificate_key /opt/psa/var/certificates/cert-ebfNnW;

2) returns syntax is ok and test is successful

3)
apache2 -t returns the following errors.

I guess there are folder missing / permission errors?

 

[Bitpalast]

Pretty obvious the SSL certificate is not switched, because Apache cannot reload/restart for the error given in the screenshot. Please resolve that error first, then try again with the SSL certificate. Once the Apache error is resolved and Apache can restart, SSL certificate should work, too.

Please refer to https://support.plesk.com/hc/ru/art...x-directory-in-argument-file-APACHE-LOCK-DIR- for a possible solution or search for "config variable $apache_lock_dir" on Google to find possible solutions.

 

[pandpan]

Hello!

I have done what I can, and i have come across the next issue (not sure if its a plesk thing but it does ask for a conf from it)

 * Restarting web server apache2                                                                     [fail]
 * The apache2 configtest failed.
Output of config test was:
apache2: Syntax error on line 216 of /etc/apache2/apache2.conf: Syntax error on line 5 of /etc/apache2/conf-enabled/zz010_psa_httpd.conf: Syntax error on line 58 of /etc/apache2/plesk.conf.d/server.conf: Could not open configuration file /etc/apache2/plesk.conf.d/ip_default/grayles.net.conf: No such file or directory
Action 'configtest' failed.

line 216 of apache2.conf is :

IncludeOptional conf-enabled/*.conf

line 5 of zz101 is :

Include '/etc/apache2/plesk.conf.d/server.conf'

line 58 server.conf

IncludeOptional "/etc/apache2/plesk.conf.d/ip_default/*.conf"

the last conf request actually exists

 

[Bitpalast]

Could it be possible that the grayles.net was formerly or still is the main domain of the host? Did you make any changes to that before? I think it is risk-free to remove the reference to /etc/apache2/plesk.conf.d/ip_default/grayles.net.conf from /etc/apache2/plesk.conf.d/server.conf in case that grayles.net is not also the main domain of the host. Either the reference are the remains of something that should no longer be there or indeed an important configuration file /etc/apache2/plesk.conf.d/ip_default/grayles.net.conf is missing. Who knows.

Maybe it is best to first run
# /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
so that you can be sure that at least the part that Plesk wants to see is correctly configured.

I am not really sure what the best approach is. It strongly depends on what was done before with the configuration files and if there are other changes that we are currently unaware of. You seem to have a system that is widely messed up for the reason of a considerable number of individual tweaks. I am not sure if in this case it would not be better to start all over to make sure you are running a clean default installation. The SSL issue described in this thread is only one symptom of an otherwise incorrectly configured installation.

 

[pandpan]

Hello once again.

grayles.net is still the main domain of the host, i believe. No other domains are on it.

as for the command you mentioned i get errors as well:

Expand/Collapse Block: error

[2017-02-12 04:32:00] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/apache-config' '-t'] with exit code [1]
[2017-02-12 04:32:00] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/apache-config' '-t'] with exit code [1]
[2017-02-12 04:32:00] ERR [panel] Apache config (14868919200.33314900) generation failed: Template_Exception: AH00526: Syntax error on line 9 of /etc/apache2/plesk.conf.d/server.conf:
DocumentRoot must be a directory

file: /opt/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
AH00526: Syntax error on line 9 of /etc/apache2/plesk.conf.d/server.conf:
DocumentRoot must be a directory

Hence, I will follow your recommendation. Though how and where do i start from scratch? (I hope it doesn't mean a full wipe of the OS partition). For example. do i uninstall apache2 + plesk then start again?

 

[Bitpalast]

I see, so the root cause of the issue is that the host's main domain is the same as the subscription domain, and for unknown reason the main domain is not configured correctly in Apache.

Have you tried
# plesk repair installation
or
# plesk installer --select-release-current --reinstall-patch --upgrade-installed-components

If that does not solve the issue (or makes things worse) I'd say that either wipe the system completely or try to follow through every single error (you could for instance now look at what DocumentRoot is saying in /etc/apache2/plesk.conf.d/server.conf, then check why the directory is missing. You could then create it. Then see if it works and so on ...)

You realize that this is getting from one error into the next one, it could be a never ending story because it is unclear what all is missing or misconfigured. I think that creating a full backup (inside Plesk) and then setting up everything from scratch, then restoring the backup costs less time than going through every single error. But in the end, it is your system and you must make the decision what is best for you.

I suggest to use a different domain for the host than for a subscription.

 

[pandpan]

Expand/Collapse Block: Repair errors

Bootstrapper repair finished.
Errors occurred while performing the following actions: restore mail, fix Apache configuration, regenerate web servers configuration files.
Check '/var/log/plesk/install/plesk_12.5.30_repair.log' and '/var/log/plesk/install/plesk_12.5.30_repair_problems.log' for details.
If you can't resolve the issue on your own, please address Parallels support.

https://dl.dropboxusercontent.com/u/74122999/plesk_12.5.30_installation.log
https://dl.dropboxusercontent.com/u/74122999/plesk_12.5.30_repair.log

These are the two logs that were dumped upon doing a repair installation. Does that say much? (before i do a backup)

If there are no options once reading those logs. I should do the following:

-Uninstall apache 2 and plesk
-Reinstall apache 2 from scratch
-Reinsall Plesk ontop

right?

 

[Bitpalast]

I think either reinstalling the whole system or letting official support do it for you are two good options. Simply removing and reinstalling Apache will probably create even more issues.

 

[pandpan]

Ah I see...

Thank you so much peter for your time! I will get official support do it.