SSL certificate and SSO server

[ospito]

Hello,

Last week I upgraded to Plesk 10.0.1 (from 9.x), but now I have troubles with my SSL cert. I'm using a paid Comodo SSL certificate (PositiveSSL) on my Plesk panel and that works fine (for many years already). On SSO server the cert was missing, so I installed the same cert as on my Plesk panel using this guide: http://kb.odin.com/6138. The errors in my browser because of the invalid SSL cert is gone (so it seems to be ok), however when I want to login from Plesk to Customer & Business Manager I get the following error:

"Error: Signature is invalid"

After that I can choose to login with a local account (non-SSO) or try again with SSO (gives me the same error). Local-account login is working ok. The command "openssl s_client -connect server02.DOMAINNAME.com:11444" gives me the following output:

=============================================================================================================

[root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1555 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1295261409
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

=============================================================================================================


So it seems there is something wrong with the CA-cert. However, when I specify the CA-cert, this is my output:

=============================================================================================================

[root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444 -CAfile sso-ca.pem
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1555 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1295261645
Timeout : 300 (sec)
Verify return code: 0 (ok)
---


=============================================================================================================

There seems to be no problem.

My /etc/sso/sso-ca.pem:

=============================================================================================================

-----BEGIN RSA PRIVATE KEY-----
<RSA-KEY>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 1>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 2>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CACERT DATA PART 3>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<DATA>
-----END DH PARAMETERS-----


=============================================================================================================

Thanks in advance!

 

[IgorG]

http://kb.odin.com/en/6340

 

[ospito]

Is Plesk Billing the same as Customer & Business Manager?

I already found that guide, and did the "/usr/local/psa/bin/sso -s -server https://server02.DOMAINNAME.com:11443 -url https://server02.DOMAINNAME.com:11444", but I couldn't find:

"Billing -> System -> System Configuration -> SSO Settings"?

 

[ospito]

I'm still waiting for a solution...

 

[Eurotimmy]

Hey ospito... did this get solved for you yet?
If so, can you please share?

I have this error as well... I'm on a Windows machine and the instruction link you got from IgorG doesn't address Windows and the CBM doesn't contain the part known as "Billing -> System -> System Configuration -> SSO Settings" from what i can see in mine.

I'm having concerns about the customer billing manager now that my job logged with their support team has gone unresolved for 10 days

 

[ospito]

Hey ospito... did this get solved for you yet?
If so, can you please share?

I have this error as well... I'm on a Windows machine and the instruction link you got from IgorG doesn't address Windows and the CBM doesn't contain the part known as "Billing -> System -> System Configuration -> SSO Settings" from what i can see in mine.

I'm having concerns about the customer billing manager now that my job logged with their support team has gone unresolved for 10 days

No, I'm still waiting for a solution. Unfortunately Parallels/Plesk-support doesn't give much support.... :-(

 

[Ipswise]

No, I'm still waiting for a solution. Unfortunately Parallels/Plesk-support doesn't give much support.... :-(

Word! I have the same problem and the plesk-support ignor this completly. The Plesk support is very bad i think...

 

[StuartGoss]

Same problem here as well. Have re-imaged test server and reproduced the SSL error in exactly the same way.

We've tested with certs from Comodo and Godaddy with the same result.

Anything Parallels?

 

[ospito]

Kicking this thread again...still no solution!!!

 

[IgorG]

No, I'm still waiting for a solution. Unfortunately Parallels/Plesk-support doesn't give much support.... :-(

Do you have support ticket ID? Please let me know and I will check it and escalate if necessary.