1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SSL certificate and SSO server

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by ospito, Jan 17, 2011.

  1. ospito

    ospito New Pleskian

    22
    73%
    Joined:
    Sep 2, 2008
    Messages:
    19
    Likes Received:
    0
    Hello,

    Last week I upgraded to Plesk 10.0.1 (from 9.x), but now I have troubles with my SSL cert. I'm using a paid Comodo SSL certificate (PositiveSSL) on my Plesk panel and that works fine (for many years already). On SSO server the cert was missing, so I installed the same cert as on my Plesk panel using this guide: http://kb.odin.com/6138. The errors in my browser because of the invalid SSL cert is gone (so it seems to be ok), however when I want to login from Plesk to Customer & Business Manager I get the following error:

    "Error: Signature is invalid"

    After that I can choose to login with a local account (non-SSO) or try again with SSO (gives me the same error). Local-account login is working ok. The command "openssl s_client -connect server02.DOMAINNAME.com:11444" gives me the following output:

    =============================================================================================================

    [root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444
    CONNECTED(00000003)
    depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    <CERTIFICATE>
    -----END CERTIFICATE-----
    subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1555 bytes and written 447 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID-ctx:
    Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Key-Arg : None
    Krb5 Principal: None
    Start Time: 1295261409
    Timeout : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    ---

    =============================================================================================================


    So it seems there is something wrong with the CA-cert. However, when I specify the CA-cert, this is my output:

    =============================================================================================================

    [root@server02 sso]# openssl s_client -connect server02.DOMAINNAME.com:11444 -CAfile sso-ca.pem
    CONNECTED(00000003)
    depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    verify return:1
    depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
    verify return:1
    depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
    verify return:1
    depth=0 /OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    verify return:1
    ---
    Certificate chain
    0 s:/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    <CERTIFICATE>
    -----END CERTIFICATE-----
    subject=/OU=Domain Control Validated/OU=Hosted by XXX/OU=PositiveSSL/CN=server02.DOMAINNAME.com
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1555 bytes and written 447 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID-ctx:
    Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Key-Arg : None
    Krb5 Principal: None
    Start Time: 1295261645
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---


    =============================================================================================================

    There seems to be no problem.

    My /etc/sso/sso-ca.pem:

    =============================================================================================================

    -----BEGIN RSA PRIVATE KEY-----
    <RSA-KEY>
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    <CACERT DATA PART 1>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <CACERT DATA PART 2>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <CACERT DATA PART 3>
    -----END CERTIFICATE-----
    -----BEGIN DH PARAMETERS-----
    <DATA>
    -----END DH PARAMETERS-----


    =============================================================================================================

    Thanks in advance!
     
    Last edited: Jan 17, 2011
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
  3. ospito

    ospito New Pleskian

    22
    73%
    Joined:
    Sep 2, 2008
    Messages:
    19
    Likes Received:
    0
    Is Plesk Billing the same as Customer & Business Manager?

    I already found that guide, and did the "/usr/local/psa/bin/sso -s -server https://server02.DOMAINNAME.com:11443 -url https://server02.DOMAINNAME.com:11444", but I couldn't find:

    "Billing -> System -> System Configuration -> SSO Settings"?
     
  4. ospito

    ospito New Pleskian

    22
    73%
    Joined:
    Sep 2, 2008
    Messages:
    19
    Likes Received:
    0
    I'm still waiting for a solution...
     
  5. Eurotimmy

    Eurotimmy New Pleskian

    15
    85%
    Joined:
    Jan 1, 2011
    Messages:
    7
    Likes Received:
    0
    Hey ospito... did this get solved for you yet?
    If so, can you please share?

    I have this error as well... I'm on a Windows machine and the instruction link you got from IgorG doesn't address Windows and the CBM doesn't contain the part known as "Billing -> System -> System Configuration -> SSO Settings" from what i can see in mine.

    I'm having concerns about the customer billing manager now that my job logged with their support team has gone unresolved for 10 days
     
  6. ospito

    ospito New Pleskian

    22
    73%
    Joined:
    Sep 2, 2008
    Messages:
    19
    Likes Received:
    0
    No, I'm still waiting for a solution. Unfortunately Parallels/Plesk-support doesn't give much support.... :-(
     
  7. Ipswise

    Ipswise New Pleskian

    15
    85%
    Joined:
    Jan 19, 2011
    Messages:
    9
    Likes Received:
    0
    Word! I have the same problem and the plesk-support ignor this completly. The Plesk support is very bad i think...
     
  8. StuartGoss

    StuartGoss Guest

    0
     
    Same problem here as well. Have re-imaged test server and reproduced the SSL error in exactly the same way.

    We've tested with certs from Comodo and Godaddy with the same result.

    Anything Parallels?
     
  9. ospito

    ospito New Pleskian

    22
    73%
    Joined:
    Sep 2, 2008
    Messages:
    19
    Likes Received:
    0
    Kicking this thread again...still no solution!!!
     
  10. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    Do you have support ticket ID? Please let me know and I will check it and escalate if necessary.
     
Loading...