• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

SSL - Can't get Apache to use new certificate

P

Peach@

Guest
Hello. I was hoping someone can help me solve this problem. I've searched this forum for answers, but nothing I tried has worked so far... I am running CentOS 4.2 and Plesk 8.1. on a VPS.

I've purchased a SSL certificate for "www.xxxxx.com". I thought I set it up correctly in Plesk, but Apache continues to call up the default certificate created by Plesk when I use "https://www.xxxxx.com" (or any domain hosted by this server for that matter - I only have 1 IP).

Here are some details. I'm not sure where I'm making a mistake(s):

The default domain in Plesk is set to "xxxxx.com".

I've installed the certificate in Server > Certificate, set the new certificate as "Default", checked "Setup". The certificate is now in bold (default?).

In Server > IP Addresses, the new certificate is selected from the pulldown. In both Clients and Domains sections, I see the new certificate as the main certificate. It shows as www.xxxxx.com (Administrator's repository)

I've stopped and started Apache in Plesk. Also in Virtuozzo, I stopped and started both "httpd" and "psa".

I see a newly created certificate file in /usr/local/psa/var/certificates/,
In httpd.include, "SSLCertificateFile" is correctly linked to this file.

I see that
/usr/local/psa/admin/conf/httpsd.pem
has been updated although
/etc/httpd/conf/httpd.pem
didn't get updated (I also tried by updating it manually as someone suggested it in this forum).

I also tried a suggestion mentioned in this thread: http://forum.swsoft.com/showthread.php?s=&threadid=35761

I restarted my web browser a hundred times. I still get presented with the old certificate when I access the domain. I also tried setting up the certificate for a specific domain inside the Domain section instead of creating it in the Server section, but it didn't work either. What else should I try? I must be missing something. I would appreciate any suggestions. Thanks!
 
Go to: Server - IP - Select your IP

And select your SSL certificate from the menu.

It should be work
 
Thanks for the suggestion. I have in fact already tried it before I posted my question. The Service > IP Addresses is already showing:

IP type: exclusive
SSL certificiate: www.xxxxx.com
Default domain: xxxxx.com
Default IP address: Yes

In the Plesk control panel, it seems like everything is set up the way it should be. When I stopped Apache, I made sure that the service was actually stopped before I restarted it. It seems like as if Apache is reading the conf files from somewhere else.

Anything else I should try? Thanks again!
 
Hi, Highland.
Unfotunately, I've already tried it too (please see my original post). It didn't work :( The only thing I had to do differently from the original post was that I couldn't find the "service" command to execute the following in shell:

#service httpd restart

So instead, I stopped and started httpd in Virtuozzo, but it should be the same thing, shouldn't it?

Everything in Plesk looks like it should work (at least from what I have read so far).

Do any of these make any difference?
1) The new certificate is for "www.xxxxx.com" but I haven't created a subdomain called "www.xxxxx.com". When I created "xxxxx.com", I simply checked the WWW box.

2) I only filled in Private Key and Certificate boxes when I created a new certificate - no CSA or CA data. Is it possible that the certificate is not properly installed although it shows up fine in Plesk?

Does anyone have any more suggestions?
Thanks!
 
Originally posted by Peach
2) I only filled in Private Key and Certificate boxes when I created a new certificate - no CSA or CA data. Is it possible that the certificate is not properly installed although it shows up fine in Plesk?

Does anyone have any more suggestions?
Thanks! [/B]
Click to expand...

Sorry bout that. Was in a rush and skimmed through.

SSL certs are generated for a Fully Qualified Domain Name (FQDN). The only exception would be a wildcard cert which works for any subdomain for a given domain (different setup entirely on that). So if your cert says it's for www.domain.com you can't use it for https://domain.com

You can have only one SSL cert per IP. Apache loads that cert and only that cert. So if it's using your domain's SSL it will show up for every domain on that IP when you try to use https.

There's 3 parts to a SSL cert request:

The CSR is used to request a certificate. When you apply for your cert you will need one generated by the server. This has all the pertinent info in an encrypted format. You don't need it in your cert but it's part of the process. If your CSR was generated by a third party you don't need to provide it to the server (I know 1and1 does this, not sure about other hosts)

The private key is also generated by the server/CSR generator and is used for decryption purposes.

The Certificate is what comes signed by your authority (it's what you pay for) and it lets people know that a trusted signatory says it's legit. Once you have this your certificate is complete. This is what the general public gets when they hit your site.

CA Certificate is used for an intermediate certificate (Godaddy, for instance, uses one) without which the cert will not properly verify. I do not believe all SSL vendors use them so you only need to install one if your SSL vendor provides it.

That should stop and start apache by using the control panel. If that doesn't work you can try
#apachectl graceful
Click to expand...

Another thing is to make sure your files are being read. Try this command and post it here
#httpd -S
Click to expand...
 
Thanks, Highland.
I see two potential problems with my set up.

1)
You can have only one SSL cert per IP. Apache loads that cert and only that cert. So if it's using your domain's SSL it will show up for every domain on that IP when you try to use https.
Click to expand...

I have not deleted the default certificate as I was afraid that I wouldn't be able to access Plesk. I only have one IP. Do I have to delete the default certificate before I can see the new certificate?

2)
SSL certs are generated for a Fully Qualified Domain Name (FQDN). The only exception would be a wildcard cert which works for any subdomain for a given domain (different setup entirely on that). So if your cert says it's for www.domain.com you can't use it for https://domain.com
Click to expand...

I only created a domain xxxxx.com and not www.xxxxx.com. The certificate is for www.xxxxx.com. So, I need to create a new subdomain www.xxxxx.com? Does that mean I have to uncheck "WWW" in the site setup for xxxxx.com and treat www.xxxxx.com as a subdomain?


Here is the output of httpd -S. I've replaced my IP address with 999.999.99.999 and the domain with xxxxx.com:


VirtualHost configuration:
999.999.99.999:80 is a NameVirtualHost
default server xxxxx.com (/var/www/vhosts/xxxxx.com/conf/httpd.include:73)
port 80 namevhost mediafuzepro.com (/var/www/vhosts/xxxxx.com/conf/httpd.include:73)
port 80 namevhost default (/etc/httpd/conf.d/zz010_psa_httpd.conf:47)
port 80 namevhost webmail (/etc/httpd/conf.d/zz010_psa_httpd.conf:101)
port 80 namevhost lists (/etc/httpd/conf.d/zz010_psa_httpd.conf:169)
999.999.99.999:443 is a NameVirtualHost
default server xxxxx.com (/var/www/vhosts/xxxxx.com/conf/httpd.include:12)
port 443 namevhost mediafuzepro.com (/var/www/vhosts/xxxxx.com/conf/httpd.include:12)
port 443 namevhost default-999-999-99-999 (/etc/httpd/conf.d/zz010_psa_httpd.conf:78)
port 443 namevhost webmail (/etc/httpd/conf.d/zz010_psa_httpd.conf:133)
port 443 namevhost lists (/etc/httpd/conf.d/zz010_psa_httpd.conf:189)
wildcard NameVirtualHosts and _default_ servers:
_default_:443 xxxxx.com (/etc/httpd/conf.d/ssl.conf:88)
Syntax OK


Thanks again!
 
UPDATE

It turns out that my certificate is not installed property. When I purchased a certificate from my hosting company, there were two options - either they generate CSR or I generate CSR. I chose the former. Obviously, (although it wasn't obvious to me at all) I should have checked the latter to generate my own CSR. So I'm in the process of getting my certificate regenerated using my own CSR. I will post the results once I get it done.
 
I had the same problem with a self created certificate. Don´t ask me how many tries I have behind me and don´t ask me, why it is now runnging, but now it is running.

Everything looked great in Plesk but the browser showed the old certificate ....

When I used the "setup" button in certification area in Plesk, sometimes Plesk was gone to nowhere but I think, I was al little bit stronger than Plesk and suddenly it worked .... ;):D
 
Moving the thread

I'm moving this thread to:
http://forum.swsoft.com/showthread.php?s=&postid=163739

Just in case someone makes a mistake like me... For me, Highland's previous post was very helful:

There's 3 parts to a SSL cert request:

The CSR is used to request a certificate. When you apply for your cert you will need one generated by the server. This has all the pertinent info in an encrypted format. You don't need it in your cert but it's part of the process. If your CSR was generated by a third party you don't need to provide it to the server (I know 1and1 does this, not sure about other hosts)

The private key is also generated by the server/CSR generator and is used for decryption purposes.

The Certificate is what comes signed by your authority (it's what you pay for) and it lets people know that a trusted signatory says it's legit. Once you have this your certificate is complete. This is what the general public gets when they hit your site.

CA Certificate is used for an intermediate certificate (Godaddy, for instance, uses one) without which the cert will not properly verify. I do not believe all SSL vendors use them so you only need to install one if your SSL vendor provides it.
Click to expand...

My problem was that I was supposed to generate my own CSR before I ordered SSL, but I didn't. I used hosting company generated CSR...
 
You must log in or register to reply here.

Similar threads

W
Issue Problems with changing Domain IP address.
Replies
0
Views
147
wyga
W
D
Issue can only create webmail certificates
Replies
1
Views
395
deepnpisgah
D
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
659
deepnpisgah
D
B
Issue Change certificate for lists vhost for mailman3
Replies
0
Views
184
blindzero
B
Back
Top