• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue SHA-256 compatibility issues with plesk

nisamudeen97

Regular Pleskian
Hi,

As per latest announcement from paypal they have requested to change signing request from SHA-1 to SHA-2. I am having Centos 6.8 with plesk 12.5.30 meanwhile it is still showing SHA-1

I have tried the suggestions in kb articles https://kb.plesk.com/en/123904 and https://kb.plesk.com/124821 Still it is showing sha1


openssl s_client -connect hostname/website:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption

I am using nginx reverse proxy. My apache and nginx versions are below.

httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: May 11 2016 19:28:33

nginx -v
nginx version: nginx/1.11.1

Let me know the possible ways of solving the issue.
 
have you restarted plesk?
then recreated the csr?
then got a new certificate with you ne csr
and made that new certificate life?

First plesk must "know" this new setting is there and it will not automagicly fix and existing certificate.

If the cert is a bought one from a certificate autority like geotrust or so you must contact them with your new csr and ask for a re-issue of the certificate.
 
hi,

I have already tired the possibilities of restarting plesk, generating new certificates. I am not having a valid CA certificate. I am working on selfsigned certificate
 
I am working on selfsigned certificate

why not install the let's encrypt extention and get a real certificate?

Its no use for "real" websites because there is no owner authentication but its fine for private websites and it will get rid off all the self signed errors.

regards
Jan
 
You use self-signed certificate generated by Plesk, don't you?
Could you generate a new self-signed certificate for example.com the same way and send it to me?
 
Here it is

-----BEGIN CERTIFICATE-----
MIIDWzCCAkMCBFdwwL0wDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCR0IxDjAM
BgNVBAgTBUVzc2V4MQ8wDQYDVQQHEwZJbGZvcmQxDTALBgNVBAoTBHRlc3QxFDAS
BgNVBAMTC2V4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5uaXNhbUB0ZXN0LmNv
bTAeFw0xNjA2MjcwNTU5MjVaFw0xNzA2MjcwNTU5MjVaMHIxCzAJBgNVBAYTAkdC
MQ4wDAYDVQQIEwVFc3NleDEPMA0GA1UEBxMGSWxmb3JkMQ0wCwYDVQQKEwR0ZXN0
MRQwEgYDVQQDEwtleGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYObmlzYW1AdGVz
dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC49z5+l1pDa4op
nKpFYrJ58JcRGcnGJGFt7KC+swIEg3W4RB/hnE0GLcJgA2rLDKAiHz6qF8DFqdUF
kNR4miUVJhUXdcdWvJdCEdftvk9ddHdK8jovQDsDPcLZQ/1N6Vl4I43g+g4+PfjZ
dk5txXEgLW0XXWk+QzTP2U+PyGrAtDxgDR4ZSSUxG9XxUFdYE9Nt9ldjvO0WYJe8
GPZvEG1/PR9rRiXALvl6+nJlsGMdjTot+Z2BbUug1owPHiyICvh+32fjkJIESJmo
EhTlXH6RhhhFyeONs+m1qQEZSdg2m7hYq3bz3pTfanjvYh4OWnOTsyOkyFrxTmQ5
hKRPnWdrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE7EubeX6Y1ifyIykwUogIRr
Qo2chNa7v4LhQDVGp/ovhYz37GwfH0X/tyZKLSGhoGbEPdZQrAUpRfQSG+iSiT0s
EjL3VoXYH/TUSSVK46a3m6y4MRRa8XLe/E17IdAFVXr7Q+qc2VPW8Cttyel87UGJ
ihTASu+ND+2gFX9bD/Vn2QKXncQmdWJWb9Afq6vozJcADuiKxbLUnA/HJB7Wqt/B
pawKB0bBfFKwZzRdQw1HGLYxpgbxfjz331HsRuuJVsLrZqnDY+caxXFSjcyTG6J4
wvaus8vI/0zAtE5jnp9aGK4v05m7Zwl5i6byW4RCyabdLDc64bsg8TTQOyGx05o=
-----END CERTIFICATE-----
 
This certificate uses SHA-256:
Code:
# echo '-----BEGIN CERTIFICATE-----
> MIIDWzCCAkMCBFdwwL0wDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCR0IxDjAM
> BgNVBAgTBUVzc2V4MQ8wDQYDVQQHEwZJbGZvcmQxDTALBgNVBAoTBHRlc3QxFDAS
> BgNVBAMTC2V4YW1wbGUuY29tMR0wGwYJKoZIhvcNAQkBFg5uaXNhbUB0ZXN0LmNv
> bTAeFw0xNjA2MjcwNTU5MjVaFw0xNzA2MjcwNTU5MjVaMHIxCzAJBgNVBAYTAkdC
> MQ4wDAYDVQQIEwVFc3NleDEPMA0GA1UEBxMGSWxmb3JkMQ0wCwYDVQQKEwR0ZXN0
> MRQwEgYDVQQDEwtleGFtcGxlLmNvbTEdMBsGCSqGSIb3DQEJARYObmlzYW1AdGVz
> dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC49z5+l1pDa4op
> nKpFYrJ58JcRGcnGJGFt7KC+swIEg3W4RB/hnE0GLcJgA2rLDKAiHz6qF8DFqdUF
> kNR4miUVJhUXdcdWvJdCEdftvk9ddHdK8jovQDsDPcLZQ/1N6Vl4I43g+g4+PfjZ
> dk5txXEgLW0XXWk+QzTP2U+PyGrAtDxgDR4ZSSUxG9XxUFdYE9Nt9ldjvO0WYJe8
> GPZvEG1/PR9rRiXALvl6+nJlsGMdjTot+Z2BbUug1owPHiyICvh+32fjkJIESJmo
> EhTlXH6RhhhFyeONs+m1qQEZSdg2m7hYq3bz3pTfanjvYh4OWnOTsyOkyFrxTmQ5
> hKRPnWdrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE7EubeX6Y1ifyIykwUogIRr
> Qo2chNa7v4LhQDVGp/ovhYz37GwfH0X/tyZKLSGhoGbEPdZQrAUpRfQSG+iSiT0s
> EjL3VoXYH/TUSSVK46a3m6y4MRRa8XLe/E17IdAFVXr7Q+qc2VPW8Cttyel87UGJ
> ihTASu+ND+2gFX9bD/Vn2QKXncQmdWJWb9Afq6vozJcADuiKxbLUnA/HJB7Wqt/B
> pawKB0bBfFKwZzRdQw1HGLYxpgbxfjz331HsRuuJVsLrZqnDY+caxXFSjcyTG6J4
> wvaus8vI/0zAtE5jnp9aGK4v05m7Zwl5i6byW4RCyabdLDc64bsg8TTQOyGx05o=
> -----END CERTIFICATE-----' | openssl x509 -text | grep 'Signature Algorithm'
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
So, Plesk generates certificates correctly. You can check the certificate with your hostname the same way.

Have you installed the new certificate for a domain? (Websites & Domains > {DOMAIN} > Hosting Settings > Certificate).

Just now I have found that the command to check if the website is using SHA1 or SHA2 from https://kb.plesk.com/en/123904 is wrong (-servername argument is missing). Please, use the following command instead (replace example.com with your hostname):
Code:
echo | openssl s_client -connect example.com:443 -servername example.com | openssl x509 -text | grep 'Signature Algorithm'
 
Hi,

I have generated new selfsigned ssl meanwhile it is still showing sha1

orithm'
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = [email protected]
verify error:num=10:certificate has expired
notAfter=Jul 3 16:35:04 2014 GMT
verify return:1
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = [email protected]
notAfter=Jul 3 16:35:04 2014 GMT
verify return:1
DONE
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
 
The certificate you posted looks like the default Plesk certificate.
Have you tried the command from my previous post?
 
Back
Top