SOLVED: default certificate not working after last update, 12.0.18 Update #59

[MaximillianM]

Hi. Since yesterday I have a problem with the default certificate which i was using for my own administration-panel of my website. My administration-panel is located in a subdomain. The last thing i did, was to upgrade Plesk. Im not sure, if the problem accoured after my upgrade or the last Auto-Microupdate today: 12.0.18 Update #59

https://sec.mydomain.com ( google chrome reponses ) => ERR_CONNECTION_RESET (Detail: The Connection is aborted)

For testing i created a new self signed certificate and set this as default certificate, added this to the IP-Adress and selected under Domian->Hosting-Settings the new default one for the subdomain. But this is not working too. The same error occurs.

Does somebody has an idea, why it is not working any more?

INFOS:
netstat -tap shows
tcp 0 0 h21106xx.stratoser:http *:* LISTEN 3094/nginx
tcp 0 0 h21106xx.stratose:https *:* LISTEN 3094/nginx


EDIT
i found now in the default error_log following lines
AH01909: RSA certificate configured for sec.mydomain.com:443 does NOT include an ID which matches the server name

und my nginx error_log says
6443#0: *1797 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client


SOLVED
I solved the problem with
/usr/local/psa/admin/sbin/httpdmng --reconfigure-all
... after changing the default_certificate ( http://talk.plesk.com/threads/plesk-nginx-and-ssl.323719/ )

 

[UFHH01]

Hi MaximillianM,

please use "https://your-ip.com:8443" if you experience issues with your DNS - settings and make sure, that the needed ports are opened or at least not firewalled:

Which ports need to be opened for all Plesk services to work with a firewall? ( KB - article 391 )​

 

[Xavier12]

Hey guys,

Our customer is having an issue with a Rapid SSL certificate that worked and now when visiting the Wordpress site admin panel or https pages, the server does not connect to the Wordpress https page. We tried modifying iptables to add 443, 8080, 80 etc based on the tutorial provided, however, it still does not work and the site still does not connect with SSL

Please advise, thanks.

 

[UFHH01]

Hi Xavier12,

please..... please .... please... you already know what comes next, I think. ^^ Please, include some log - files, which mostly point to the issue. It takes ages to probably start on the wrong side of the issue/problem and suggestions might just be a shoot into the sky.

 

[MaximillianM]

I have no problems to access Plesk-Panel ( https://mydomain.com:8443 ).

I checked iptables rules.
ACCEPT tcp -- anywhere anywhere tcp dpt:https

i found now in the default error_log following lines
AH01909: RSA certificate configured for sec.mydomain.com:443 does NOT include an ID which matches the server name

und my nginx error_log says
6443#0: *1797 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client:

 

[MaximillianM]

SOLVED (check main thread)

 

[Xavier12]

Hi Xavier12,

please..... please .... please... you already know what comes next, I think. ^^ Please, include some log - files, which mostly point to the issue. It takes ages to probably start on the wrong side of the issue/problem and suggestions might just be a shoot into the sky.

Hi UFHH01,

Sorry about that! Below are the error logs. Are these the right logs

Logs
[Fri Aug 07 11:10:52 2015] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
[Fri Aug 07 11:10:53 2015] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?

These errors are weird since the SSL should be working fine. We are under the impression that this may have happened since the customer installed firewall. However, we do not see a trace of ports being blocked.

Please advise, thanks

 

[UFHH01]

Logs
[Fri Aug 07 11:10:52 2015] [warn] RSA server certificate CommonName (CN) `www.lanewgirl.com' does NOT match server name!?
[Fri Aug 07 11:10:53 2015] [warn] RSA server certificate CommonName (CN) `www.lanewgirl.com' does NOT match server name!?

This is JUST a warning.... nothing more and nothing less... it doesn't harm your configuration and system in any way. It just states, that the certificate "domain.com" should be changed sometime, to meet the correct configuration settings for your specific domain, defined at "ServerName domain.com" in your webserver configuration files.

 

[Xavier12]

Hi UFHH01,

Thanks for reaching back. Understood. What exactly (logs maybe?) would be needed from my end to get an idea of the issue to resolve?

 

[UFHH01]

Hi Xavier12,

please perform:

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all

and maybe as well :

/usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh repair​

... and report any issues/failures/problems ( and maybe corresponding logs, as shown in the output ).

 

[Xavier12]

Hi UFHH01,

Thanks for the follow-up. Tried both, neither one worked. Here is the output from the command line.

------
Bootstrap setup actions for Plesk 12.0.18

Usage: bootstrapper.sh <prep-install|post-install|rerun|perform-deferred-actions> [component|BASE]

bootstrapper.sh <repair|perform-deferred-actions>

Running 'bootstrapper.sh repair' with PLESK_INSTALLER_FAST_REPAIR=1 environment

variable set will skip some of the most time-consuming restore actions.
-------

Then back to the command line.

Please advise, thanks

 

[UFHH01]

Hi Xavier12,

please don't always use "copy&paste" to insert formatted text from the forum into a ssh-client... you might experience issues like yours, that the command is not exactly copied like you see it in the forum, but instead you might have copied invisible text and/or signs like spaces, or other non visible HTML - formats ( bold, colored in black, size=4, .... ). Please always make sure to copy your commands from the forums first into notepad or something similar, before copying then the unformatted text into your ssh-client.

In your case, the space between /usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh and repair is formatted as HTML space "&nbsp;" while you copied the command. bootstrapper doesn't know this string option as a command option and can't execute the option "repair" correctly. Please TYPE the space directly in your ssh-client and add the needed string "repair" in addition, before hitting "return", to execute the command - you will see that now the command is correctly recognized by bootstrapper and is being executed.

 

[Xavier12]

Hi UFFH01

My apologies. So it processed and still the issue occurs. Below is the log

"START Bootstrapper 12.0.18 repair AT Sat Aug 8 23:48:44 EDT 2015

**** Product repair started.

===> Checking for previous installation ... found.
Started bootstrapper repair procedure. This may take a while.
Certain actions may be skipped if not applicable.

Trying to start service mysqld... mysqld (pid 1272) is running...
done
Trying to establish test connection... connected
done
Trying to start service mysqld... mysqld (pid 1272) is running...
done
Trying to establish test connection... connected
done
Trying to find psa database... version is 012000018
Version is OK, no need to create psa database.
Trying to backup MySQL database... Warning: Not dumping MySQL database 'atmail' as it doesn't exist
done
MySQL databases are dumped to /var/lib/psa/dumps/mysql.preupgrade.12.0.18-12.0.18.20150808-234845.dump.gz
Finishing up upgrade procedures and rerunning previously failed upgrade actions...
===> Cumulative APS controller database (apsc) upgrade and repair has been started.
Upgrade or repair for 'apsc' (stage 'prep') is not required
Trying to backup MySQL database... done
MySQL databases are dumped to /var/lib/psa/dumps/mysql.preupgrade.apsc.12.0.18-12.0.18.20150808-234847.dump.gz
===> Cumulative upgrade and repair of APS controller database has been completed.
Connection to APSC DB is possible
===> Cumulative APS controller upgrade and repair (final stage) has been started.
Upgrade or repair for 'apsc' (stage 'post') is not required
===> Cumulative upgrade and repair of APS controller (final stage) has been completed.
Trying to reset database user password for 'pma_KObYv1fq6y6t@'... done
===> Cumulative Plesk database upgrade and repair (revertable stage) has been started.
Upgrade or repair for 'core' (stage 'prep') is not required
===> Preparing Plesk database upgrade (revertable stage).
Trying to resolve hostname 'host.mydomain.com' and validate its IP address... done

Trying to set psa database version to 012000018... done
===> Cumulative upgrade and repair of Plesk database (revertable stage) has been completed.
Database is up-to-date
===> Cumulative Plesk upgrade and repair (final stage) has been started.
Upgrade or repair for 'core' (stage 'post') is not required
===> Preparing Plesk upgrade (final stage).
===> Cumulative upgrade and repair of Plesk (final stage) has been completed.
Trying to upgrade and repair Roundcube webmail configuration... Upgrade or repair for 'roundcube' (stage 'files') is not required
done
Upgrade of Roundcube Web Based mail client configs and DB is not required - no previous version
Trying to upgrade and repair Horde webmail configuration... Upgrade or repair for 'horde' (stage 'files') is not required
done
Trying to upgrade and repair Parallels Premium antivirus (DrWeb) service configuration (bootstrapper-prep stage)... Upgrade or repair for 'drweb' (stage 'bootstrapper-prep') is not required
done
Trying to upgrade and repair Parallels Premium antivirus (DrWeb) service configuration (bootstrapper-post stage)... Upgrade or repair for 'drweb' (stage 'bootstrapper-post') is not required
done
Trying to upgrade and repair Fail2Ban configuration (bootstrapper-prep stage)... Upgrade or repair for 'fail2ban' (stage 'bootstrapper-prep') is not required
done
Trying to upgrade and repair Fail2Ban configuration (bootstrapper-post stage)... Upgrade or repair for 'fail2ban' (stage 'bootstrapper-post') is not required
done
Trying to upgrade and repair Firewall service configuration... Upgrade or repair for 'firewall' (stage 'post') is not required
done
Reconfiguring mail subsystem...
Trying to execute mail_restore to synchronize mail server settings and Plesk Database... ==> Checking for: mailsrv_conf_init... ok
==> Checking for: mail_handlers_init... ok
==> Checking for: mailsrv_entities_dump... ok
==> Checking for: mail_admin_aliases... ok
==> Checking for: mail_auth_dump... ok
==> Checking for: mailman_lists_dump... ok
==> Checking for: mail_kav8_restore... ok
==> Checking for: mail_responder_restore... ok
==> Checking for: mail_imap_restore... ok
==> Checking for: mail_spam_restore... not found, skipped
==> Checking for: mail_grey_restore... ok
==> Checking for: mail_mailbox_restore... ok
==> Checking for: mail_spf_restore... ok
==> Checking for: mail_dk_restore... ok
==> Checking for: mail_drweb_restore... ok
==> Checking for: mail_outgoing_restore... ok
==> Checking for: mail_transport_restore... ok
done
Reconfiguring Apache web server...
Reconfiguring ProFTPD FTP server...
Reconfiguring AWStats web statistics...
Reconfiguring WatchDog...
Restoring SELinux contexts...
Regenerating web servers' configuration files...
Cleaning active Panel sessions...

Bootstrapper repair finished.
If problems persist, please check installer logs ('/var/log/plesk/install/plesk_12.0.18_repair.log' and '/var/log/plesk/install/plesk_12.0.18_repair_problems.log') for errors.
If you can't resolve the issue on your own, please address Parallels support.

**** Product repair completed successfully.

STOP Bootstrapper 12.0.18 repair AT Sat Aug 8 23:50:02 EDT 2015"

 

[UFHH01]

Hi Xavier12,

well, you have to provide more information from error - logs then, to see what's happening ( apache2 and/or nginx and/or php5-fpm - logs, maybe depending logs from the depending domain ... )

Odin / Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )​

 

[Xavier12]

Hi UFHH01,

Thanks for reaching back. Here are the apache logs:


[Mon Aug 10 02:13:48 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

[Mon Aug 10 02:13:48 2015] [notice] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.

[Mon Aug 10 02:13:48 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"

[Mon Aug 10 02:13:48 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"

[Mon Aug 10 02:13:48 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"

[Mon Aug 10 02:13:48 2015] [notice] Original server signature: Apache

[Mon Aug 10 02:13:48 2015] [notice] Status engine is currently disabled, enable it by set SecStatusEngine to On.

[Mon Aug 10 02:13:48 2015] [notice] Digest: generating secret for digest authentication ...

[Mon Aug 10 02:13:48 2015] [notice] Digest: done

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?

[Mon Aug 10 02:13:49 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

[Mon Aug 10 02:13:49 2015] [error] python_init: Python version mismatch, expected '2.6.5', found '2.6.6'.

[Mon Aug 10 02:13:49 2015] [error] python_init: Python executable found '/usr/bin/python'.

[Mon Aug 10 02:13:49 2015] [error] python_init: Python path being used '/usr/lib64/python26.zip:/usr/lib64/python2.6/:/usr/lib64/python2.6/plat-linux2:/usr/lib64/python2.6/lib-tk:/usr/lib64/python2.6/lib-old:/usr/lib64/python2.6/lib-dynload'.

[Mon Aug 10 02:13:49 2015] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.

[Mon Aug 10 02:13:49 2015] [notice] mod_python: using mutex_directory /tmp

[Mon Aug 10 02:13:49 2015] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Apache mod_fcgid/2.3.9 mod_python/3.3.1 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations

[Mon Aug 10 02:42:22 2015] [error] [client 78.193.156.105] script '/var/www/vhosts/default/htdocs/xmlrpc.php' not found or unable to stat

 

[UFHH01]

Hi Xavier12,

please use the integrated "insert..- " features from the forum to post logs, or code, or HTML, because it makes a post far easier to read and other users don't have to scroll 500 kilometers, when they would jump to the next or previous post. ^^


Back to your issues:

Please read the logs as well, because the issues directly point to it:

[Mon Aug 10 02:13:49 2015] [error] python_init: Python version mismatch, expected '2.6.5', found '2.6.6'.

You apache2 was compiled with python 2.6.5, but the python on your system is version 2.6.6. Please correct that with correct updates or downgrades.

[Mon Aug 10 02:42:22 2015] [error] [client 78.193.156.105] script '/var/www/vhosts/default/htdocs/xmlrpc.php' not found or unable to stat

This states clearly, that you have a missing file "/var/www/vhosts/default/htdocs/xmlrpc.php".
"or unable to stat" could as well point to a misconfigured "hosts" - file ( /etc/hosts ) on your server, which should look like this:

127.0.0.1    localhost.localdomain    localhost
XXX.XXX.XXX.XX1    host1.example.com    host1
XXX.XXX.XXX.XX2    host2.example.com    host2
XXX.XXX.XXX.XX3    host3.example.com    host3

Please keep in mind, that some VPS providers overwrite the hosts - file on each reboot. So please check this, when you have to reboot your server.​

 

[hwiens]

Hi,

I've got the same problem as described by MaximillianM. But I can't get SSL back to work with his solution. What logs do you guys need to provide some help ??

 

[Xavier12]

Hi UFHH01,

Sorry for the inconvenience and thanks for the update. Python has been disabled and the hosts file has been modified. As far as the xmlrpc.php file, not sure why that is missing, or where I can find a replacement...

A part from this SSL still isn't working for a specific website that the customer has within Plesk. However, it works with the other sites.

 

[UFHH01]

Hi Xavier12,

Sorry for the inconvenience and thanks for the update. Python has been disabled and the hosts file has been modified. As far as the xmlrpc.php file, not sure why that is missing, or where I can find a replacement...

The file "xmlrpc.php" is mostly part of a standard wordpress installation. You can copy it from any other worpress installation and place it in the needed directory, if the worpress installations have the same versions.


Hi hwiens,

we are talking about apache log - files in this thread, when they are needed for further investigations. Please be aware that a domain, configured over Plesk, have as well a separate apache - log files in their vhost - folder. You might consider reading:

Odin / Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )​

 

[Xavier12]

Hi UFHH01,

Thanks for the update. It seems the issue that the customer had all of this time was a misconfiguration of Cloudflare with Cloudflare servershield plugin that we were not aware was installed. Issue seems to be fixed. Thank you and sorry for the inconvenience