• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved [SOLVED] Problem with SSL Settings

X

X00LA

New Pleskian
Hello,

I'm new in Plesk and I got some problems to get https working right.
My certs working fine but I want to enable session caching, forward secrecy and custom DH parameters. I searched the last days and tested many different solutions, but I always get errors and the activation failed.
When I change the template files in /usr/local/psa/admin/conf/templates/custom/domain the settings will appear in the generated configs, but does'nt get activated.
I test the configs with ssllabs.com/ssltest but I got always the same result.
I changed the settings to enable caching, when I want to enable it, apache crashes.
When I change the settings for forward secrecy, nothing will happen. The settings appear in the generated configs but they did'nt get activated.
I added the dhparams to my cert file, but there is no change in the result of the ssltest.
It's a pain to get some things working in Plesk. That's not what I had imagined as I switched to it.

I hope someone can help me with this problems.

I use Ubuntu 14.04, Apache 2.4.7, OpenSSL 1.0.2g.

Thank's
 
Hi X00LA,
the templates you need to edit for domains are...

Domains
/opt/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
/opt/psa/admin/conf/templates/custom/server/nginxVhosts.php

Webmail
/opt/psa/admin/conf/templates/custom/nginxWebmailPartial.php

DHParam: I find it better to create a file and add the directive to the templates.
Code: 
ssl_dhparam                 /etc/ssl/dh/RSA2048.pem;

Session Cache: can be set in the templates too..
Code: 
ssl_session_cache                  shared:SSL:5m;
Ciphers (from Qualys):
Code: 
ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;


As for Apache, I just edit...

/etc/apache2/mods-available/ssl.conf
Code: 
    SSLProtocol all -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

And restart apache, and regenerate domain config...
/opt/psa/admin/bin/httpdmng--reconfigure-all
Click to expand...


From there you can add OCSP (in Additional Nginx Directives), HSTS and HPKP (in Additional HTTPS Directives) on a per domain basis.
Any other questions post away and I'll be happy to help.
Regards

Lloyd
 
Hi Loyd,

thank you for your help.
Now it works like it should.
This answer safes me many hours. I was dump to do not ask earlier here.

A "BIG" Thank you!

X00LA
 
You must log in or register to reply here.

Similar threads

kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
583
kaw.one
kaw.one
D
Issue Can't enable TLSv1 and TLSv1.1 on Ubuntu 22.04
Replies
4
Views
5K
omniscient
O
P
Outgoing email messages not DKIM signed when enabled for a domain and in server settings
2
Replies
20
Views
5K
enerspace
enerspace
H
Resolved Plesk change DKIM signature when reload or saving the "Mail Settings for domain.tld" page
Replies
12
Views
3K
AYamshanov
AYamshanov
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
Back
Top