• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

setting up ssl on centos with sni

maniot

New Pleskian
Hello,

I've searched the web to set up ssl on 1 domain of 2 installed op 1 ip address. It seems easy: setup virtual hosts, turn ssl on and point to your certificates.
I'm completely lost. I setup the certificate from geotrust in plesk panel 11.5 as described in the manual but that didn't work, apparantly because i have 2 domains and 1 ip.
So i started looking to adapt my vhost settings to use sni. First problem: i can't find the setting of the virtual host. secondly where can i find the path to the .key and .crt files.
Can anyone explain how i can install a ssl certificate on one of the two domains sharing 1 ip.
best regards,

Niek
 
SNI will work out-the-box without any further configuration necessary. You just set the SSL certificate to be used for each domain in the "Website Scripting and Security" section of Plesk.

Make sure you are restarting your browser (or using a private browsing mode such as Incognito mode in Chrome) whenever you make changes as it's possible your browser will cache the SSL certificate settings the first time they are loaded, and then when you make changes these are not immediately visible.

SNI also needs to be supported by the browsers (most modern browsers do support it: http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D).
 
Hello,

That's what i expected to work out the box, so i installed the certificate as indicated and set to be used for the domain for which i bought the certificate, but it doesn't work. When i test it with a tool provided by Geotrust it doesn't detect a certificate. After investigation with # httpd -S i get following configuration for the vhosts:
x.xxx.xx.195:80 is a NameVirtualHost
default server domain1.com (/etc/httpd/conf/plesk.conf.d/ip_default/domain1.com.conf:155)
port 80 namevhost domain1.com (/etc/httpd/conf/plesk.conf.d/ip_default/domain1.com.conf:155)
alias www.domain1.com
alias ipv4.domain1.com
port 80 namevhost default (/etc/httpd/conf/plesk.conf.d/server.conf:72)
port 80 namevhost lists (/etc/httpd/conf/plesk.conf.d/server.conf:148)
wild alias lists.*
port 80 namevhost domain2 (/etc/httpd/conf/plesk.conf.d/vhosts/domain2.conf:8)
alias www.domain2
alias ipv4.domain2
port 80 namevhost analyse.domain2 (/etc/httpd/conf/plesk.conf.d/vhosts/analyse.domain2.conf:8)
alias www.analyse.domain2
alias ipv4.analyse.domain2
xx.xxx.xx.195:443 is a NameVirtualHost
default server domain1.com (/etc/httpd/conf/plesk.conf.d/ip_default/domain1.com.conf:10)
port 443 namevhost domain1.com (/etc/httpd/conf/plesk.conf.d/ip_default/domain1.com.conf:10)
alias www.domain1.com
alias ipv4.domain1.com
port 443 namevhost default-xx_xxx_xx_195 (/etc/httpd/conf/plesk.conf.d/server.conf:109)
port 443 namevhost lists (/etc/httpd/conf/plesk.conf.d/server.conf:176)
wild alias lists.*
Syntax OK


Here i see nothing mentioned about ssl. Wouldn't it be needed to add:
<NameVirtualHost *:443>

<VirtualHost *:443>
ServerName www.yoursite.com
DocumentRoot /var/www/site

SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
SSLCertificateKeyFile /path/to/www_yoursite_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

<VirtualHost *:443>
ServerName www.yoursite2.com
DocumentRoot /var/www/site2

SSLEngine on
SSLCertificateFile /path/to/www_yoursite2_com.crt
SSLCertificateKeyFile /path/to/www_yoursite2_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

as mentioned in: http://download1.parallels.com/Ples...nistration-guide/index.htm?fileName=68694.htm

I want to mention that i have a vps with 1 ip-address and 2 domains where i want only 1 domain secured by ssl.

Best regards,
Niek
 
Have you double checked that SSL is turned on for the domain? This is in Plesk Panel under "Website Scripting & Security" for the domain.

If that setting is enabled, try re-generating the web server configuration files with:

Code:
/usr/local/psa/admin/bin/httpdmng --reconfigure-all

And see if that helps - check the vhosts's configuration file in /etc/httpd/conf/plesk.conf.d/vhosts/DOMAIN_NAME.conf to see if this has added the port 443 section.
 
Hello,

Yes i,ve checked this see screenshots:
<a href="http://www.screencast.com/t/xqnei20kDfc">screen1</a>
and
<a href="http://www.screencast.com/t/oRjmm67ydj0x">screen2</a>
I've regenerated the server configuration files as suggested the result of /etc/httpd/conf/plesk.conf.d/vhosts/DOMAIN_NAME.conf is:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
#IF YOU REQUIRE TO APPLY CUSTOM MODIFICATIONS, PERFORM THEM IN THE FOLLOWING FILES:
#/var/www/vhosts/system/the-dreamstore.com/conf/vhost.conf
#/var/www/vhosts/system/the-dreamstore.com/conf/vhost_ssl.conf

the result for httpd -S is:

VirtualHost configuration:
xx.xxx.99.195:80 is a NameVirtualHost
default server the-dreamstore.com (/etc/httpd/conf/plesk.conf.d/ip_default/the-dreamstore.com.conf:155)
port 80 namevhost the-dreamstore.com (/etc/httpd/conf/plesk.conf.d/ip_default/the-dreamstore.com.conf:155)
alias www.the-dreamstore.com
alias ipv4.the-dreamstore.com
port 80 namevhost default (/etc/httpd/conf/plesk.conf.d/server.conf:72)
port 80 namevhost lists (/etc/httpd/conf/plesk.conf.d/server.conf:148)
wild alias lists.*
port 80 namevhost 3wcreation.eu (/etc/httpd/conf/plesk.conf.d/vhosts/3wcreation.eu.conf:8)
alias www.3wcreation.eu
alias ipv4.3wcreation.eu
port 80 namevhost analyse.3wcreation.eu (/etc/httpd/conf/plesk.conf.d/vhosts/analyse.3wcreation.eu.conf:8)
alias www.analyse.3wcreation.eu
alias ipv4.analyse.3wcreation.eu
xx.xxx.99.195:443 is a NameVirtualHost
default server the-dreamstore.com (/etc/httpd/conf/plesk.conf.d/ip_default/the-dreamstore.com.conf:10)
port 443 namevhost the-dreamstore.com (/etc/httpd/conf/plesk.conf.d/ip_default/the-dreamstore.com.conf:10)
alias www.the-dreamstore.com
alias ipv4.the-dreamstore.com
port 443 namevhost default-xx_xxx_99_195 (/etc/httpd/conf/plesk.conf.d/server.conf:109)
port 443 namevhost lists (/etc/httpd/conf/plesk.conf.d/server.conf:176)
wild alias lists.*
Syntax OK

i don't see much difference. I've checked the ssl with https://www.ssllabs.com/ssltest/ and the result is: Assessment failed: No secure protocols supported

best regards,

Niek
 
Last edited:
Looking up your domain the-dreamstore.com resolves to 87.106.99.195, and I don't see an HTTPS server running on port 443 on that address. Have you checked your firewall and opened port 443?
 
I don't know exactly how you've set up the server to be able to advise further - are you using a firewall package such as CSF, APF or the Plesk Firewall module? Can you describe briefly how you've set up and installed the server so far?
 
I've subcribed a vps hosting plan a year ago, it consists of virtuozzo container with plesk 11.5.30 and Centos 6.4
The only place i've seen something about firewall is in the virtuozzo container but i don' t see anything about ports.
The server hasn't been modified. Hope this information is usefull
 
I would suggest checking the Virtuozzo panel to see if you can open the HTTPS port as it doesn't appear to be open. You can also check if you are using the Plesk firewall module in Plesk by looking under the extensions module on the left-hand side. Is firewall listed there?

You may be best to contact your VPS provider to ask how to manage the firewall on your server.
 
You'll need to add a rule for HTTPS on port 443 to allow it in the firewall - should be TCP and port 443.
 
Thanks cmaxwell!!
You made my day! this did the trick, i had to add the rule secure web server.
I've checked with qualys ssl labs and it's working, though there is a problem with poodle vulnerability. So next step to dive into.

Once again thanks i learned a lot today

best regards,

Niek
 
Back
Top