Hello,
Last week I upgraded to Plesk 10.0.1 (from 9.x), but now I have troubles with my SSL cert. I'm using a paid Comodo SSL certificate (PositiveSSL) on my Plesk panel and that works fine (for many years already). On SSO server the cert was missing, so I installed the same cert as on my Plesk panel using this guide: http://kb.odin.com/6138. The errors in my browser because of the invalid SSL cert is gone (so it seems to be ok), however when I want to login from Plesk to Customer & Business Manager I get the following error:
"Error: Signature is invalid"
After that I can choose to login with a local account (non-SSO) or try again with SSO (gives me the same error). Local-account login is working ok. The command "openssl s_client -connect server02.DOMAINNAME.com:11444" gives me the following output:
=============================================================================================================
[root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1555 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1295261409
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
=============================================================================================================
So it seems there is something wrong with the CA-cert. However, when I specify the CA-cert, this is my output:
=============================================================================================================
[root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444 -CAfile sso-ca.pem
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1555 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1295261645
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
=============================================================================================================
There seems to be no problem.
My /etc/sso/sso-ca.pem:
=============================================================================================================
-----BEGIN RSA PRIVATE KEY-----
<RSA-KEY>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 1>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 2>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 3>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<DATA>
-----END DH PARAMETERS-----
=============================================================================================================
Thanks in advance!
Last week I upgraded to Plesk 10.0.1 (from 9.x), but now I have troubles with my SSL cert. I'm using a paid Comodo SSL certificate (PositiveSSL) on my Plesk panel and that works fine (for many years already). On SSO server the cert was missing, so I installed the same cert as on my Plesk panel using this guide: http://kb.odin.com/6138. The errors in my browser because of the invalid SSL cert is gone (so it seems to be ok), however when I want to login from Plesk to Customer & Business Manager I get the following error:
"Error: Signature is invalid"
After that I can choose to login with a local account (non-SSO) or try again with SSO (gives me the same error). Local-account login is working ok. The command "openssl s_client -connect server02.DOMAINNAME.com:11444" gives me the following output:
=============================================================================================================
[root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1555 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1295261409
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
=============================================================================================================
So it seems there is something wrong with the CA-cert. However, when I specify the CA-cert, this is my output:
=============================================================================================================
[root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444 -CAfile sso-ca.pem
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1555 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1295261645
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
=============================================================================================================
There seems to be no problem.
My /etc/sso/sso-ca.pem:
=============================================================================================================
-----BEGIN RSA PRIVATE KEY-----
<RSA-KEY>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 1>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 2>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 3>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<DATA>
-----END DH PARAMETERS-----
=============================================================================================================
Thanks in advance!
Last edited: