Issue SHA-256 compatibility issues with plesk

[nisamudeen97]

Hi,

As per latest announcement from paypal they have requested to change signing request from SHA-1 to SHA-2. I am having Centos 6.8 with plesk 12.5.30 meanwhile it is still showing SHA-1

I have tried the suggestions in kb articles https://kb.plesk.com/en/123904 and https://kb.plesk.com/124821 Still it is showing sha1


openssl s_client -connect hostname/website:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption

I am using nginx reverse proxy. My apache and nginx versions are below.

httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: May 11 2016 19:28:33

nginx -v
nginx version: nginx/1.11.1

Let me know the possible ways of solving the issue.

 

[Linulex]

you need this kb

https://kb.plesk.com/en/123904

and then offcource recreate the cert, including the csr

regards
Jan

 

[nisamudeen97]

Hi,

I have already tried this meanwhile it didn't helped.

 

[Linulex]

have you restarted plesk?
then recreated the csr?
then got a new certificate with you ne csr
and made that new certificate life?

First plesk must "know" this new setting is there and it will not automagicly fix and existing certificate.

If the cert is a bought one from a certificate autority like geotrust or so you must contact them with your new csr and ask for a re-issue of the certificate.

 

[nisamudeen97]

hi,

I have already tired the possibilities of restarting plesk, generating new certificates. I am not having a valid CA certificate. I am working on selfsigned certificate

 

[Linulex]

I am working on selfsigned certificate

why not install the let's encrypt extention and get a real certificate?

Its no use for "real" websites because there is no owner authentication but its fine for private websites and it will get rid off all the self signed errors.

regards
Jan

 

[AndreyZ]

I have tried the suggestions in kb articles https://kb.plesk.com/en/123904 and https://kb.plesk.com/124821

What exactly did you do? KB says that you should do nothing special on Plesk 12.5:

Generation of Certificate Signing Request with SHA256 (SHA-2) algorithm is implemented in Plesk 12.5 by default.

 

[nisamudeen97]

HI,

I mean I have cross checked all and generated new certificate again meanwhile it is still showing SHA1

 

[AndreyZ]

Could you send me the newly created certificate (without private key, of course)?

 

[nisamudeen97]

Could you send me the newly created certificate (without private key, of course)?

I cannot do that as I cannot reveal the server hostname details in a public forum

 

[AndreyZ]

You use self-signed certificate generated by Plesk, don't you?
Could you generate a new self-signed certificate for example.com the same way and send it to me?

 

[nisamudeen97]

Here it is

-----BEGIN CERTIFICATE-----
MIIDWzCCAkMCBFdwwL0wDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCR0IxDjAM
BgNVBAgTBUVzc2V4MQ8wDQYDVQQHEwZJbGZvcmQxDTALBgNVBAoTBHRlc3QxFDAS
BgNVBAMTC2V4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5uaXNhbUB0ZXN0LmNv
bTAeFw0xNjA2MjcwNTU5MjVaFw0xNzA2MjcwNTU5MjVaMHIxCzAJBgNVBAYTAkdC
MQ4wDAYDVQQIEwVFc3NleDEPMA0GA1UEBxMGSWxmb3JkMQ0wCwYDVQQKEwR0ZXN0
MRQwEgYDVQQDEwtleGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYObmlzYW1AdGVz
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC49z5+l1pDa4op
nKpFYrJ58JcRGcnGJGFt7KC+swIEg3W4RB/hnE0GLcJgA2rLDKAiHz6qF8DFqdUF
kNR4miUVJhUXdcdWvJdCEdftvk9ddHdK8jovQDsDPcLZQ/1N6Vl4I43g+g4+PfjZ
dk5txXEgLW0XXWk+QzTP2U+PyGrAtDxgDR4ZSSUxG9XxUFdYE9Nt9ldjvO0WYJe8
GPZvEG1/PR9rRiXALvl6+nJlsGMdjTot+Z2BbUug1owPHiyICvh+32fjkJIESJmo
EhTlXH6RhhhFyeONs+m1qQEZSdg2m7hYq3bz3pTfanjvYh4OWnOTsyOkyFrxTmQ5
hKRPnWdrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE7EubeX6Y1ifyIykwUogIRr
Qo2chNa7v4LhQDVGp/ovhYz37GwfH0X/tyZKLSGhoGbEPdZQrAUpRfQSG+iSiT0s
EjL3VoXYH/TUSSVK46a3m6y4MRRa8XLe/E17IdAFVXr7Q+qc2VPW8Cttyel87UGJ
ihTASu+ND+2gFX9bD/Vn2QKXncQmdWJWb9Afq6vozJcADuiKxbLUnA/HJB7Wqt/B
pawKB0bBfFKwZzRdQw1HGLYxpgbxfjz331HsRuuJVsLrZqnDY+caxXFSjcyTG6J4
wvaus8vI/0zAtE5jnp9aGK4v05m7Zwl5i6byW4RCyabdLDc64bsg8TTQOyGx05o=
-----END CERTIFICATE-----

 

[AndreyZ]

This certificate uses SHA-256:

# echo '-----BEGIN CERTIFICATE-----
> MIIDWzCCAkMCBFdwwL0wDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCR0IxDjAM
> BgNVBAgTBUVzc2V4MQ8wDQYDVQQHEwZJbGZvcmQxDTALBgNVBAoTBHRlc3QxFDAS
> BgNVBAMTC2V4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5uaXNhbUB0ZXN0LmNv
> bTAeFw0xNjA2MjcwNTU5MjVaFw0xNzA2MjcwNTU5MjVaMHIxCzAJBgNVBAYTAkdC
> MQ4wDAYDVQQIEwVFc3NleDEPMA0GA1UEBxMGSWxmb3JkMQ0wCwYDVQQKEwR0ZXN0
> MRQwEgYDVQQDEwtleGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYObmlzYW1AdGVz
> dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC49z5+l1pDa4op
> nKpFYrJ58JcRGcnGJGFt7KC+swIEg3W4RB/hnE0GLcJgA2rLDKAiHz6qF8DFqdUF
> kNR4miUVJhUXdcdWvJdCEdftvk9ddHdK8jovQDsDPcLZQ/1N6Vl4I43g+g4+PfjZ
> dk5txXEgLW0XXWk+QzTP2U+PyGrAtDxgDR4ZSSUxG9XxUFdYE9Nt9ldjvO0WYJe8
> GPZvEG1/PR9rRiXALvl6+nJlsGMdjTot+Z2BbUug1owPHiyICvh+32fjkJIESJmo
> EhTlXH6RhhhFyeONs+m1qQEZSdg2m7hYq3bz3pTfanjvYh4OWnOTsyOkyFrxTmQ5
> hKRPnWdrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE7EubeX6Y1ifyIykwUogIRr
> Qo2chNa7v4LhQDVGp/ovhYz37GwfH0X/tyZKLSGhoGbEPdZQrAUpRfQSG+iSiT0s
> EjL3VoXYH/TUSSVK46a3m6y4MRRa8XLe/E17IdAFVXr7Q+qc2VPW8Cttyel87UGJ
> ihTASu+ND+2gFX9bD/Vn2QKXncQmdWJWb9Afq6vozJcADuiKxbLUnA/HJB7Wqt/B
> pawKB0bBfFKwZzRdQw1HGLYxpgbxfjz331HsRuuJVsLrZqnDY+caxXFSjcyTG6J4
> wvaus8vI/0zAtE5jnp9aGK4v05m7Zwl5i6byW4RCyabdLDc64bsg8TTQOyGx05o=
> -----END CERTIFICATE-----' | openssl x509 -text | grep 'Signature Algorithm'
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

So, Plesk generates certificates correctly. You can check the certificate with your hostname the same way.

Have you installed the new certificate for a domain? (Websites & Domains > {DOMAIN} > Hosting Settings > Certificate).

Just now I have found that the command to check if the website is using SHA1 or SHA2 from https://kb.plesk.com/en/123904 is wrong (-servername argument is missing). Please, use the following command instead (replace example.com with your hostname):

echo | openssl s_client -connect example.com:443 -servername example.com | openssl x509 -text | grep 'Signature Algorithm'

 

[nisamudeen97]

Hi,

I have generated new selfsigned ssl meanwhile it is still showing sha1

orithm'
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = [email protected]
verify error:num=10:certificate has expired
notAfter=Jul 3 16:35:04 2014 GMT
verify return:1
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = [email protected]
notAfter=Jul 3 16:35:04 2014 GMT
verify return:1
DONE
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption

 

[AndreyZ]

The certificate you posted looks like the default Plesk certificate.
Have you tried the command from my previous post?