• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved SSL certificate problem only in IE

Heppi75

Basic Pleskian
hi,

I have problem with the SSL cert only in internet explorer.

I am running centOS 7 with plesk 12.5.30 (latest build). could anyone help why only the internet explorer is not working correct with the cert?

here is the url - I tried it in internet explorer 11 - with the message that I should check the TLS settings:

https://www.bioaustria.at/

maybe someone could help me please!
 
Last edited:
Hi,
I just visited your site in Edge and IE with no error, are you still having the issue? If so try to clear your browser cache.
Kind regards

Lloyd
 
No, I can't access it (Win8.1/IE11)

... and there is a curious error page (see attached screen capture).

... but the error in the error page seems to be a local IE11 thing...
 

Attachments

  • capture.png
    capture.png
    19.9 KB · Views: 6
Last edited:
@Sergio Manzi, @Heppi75,

The site opens normally for me as well (Windows 10, IE 11).

But it seems you have 'enabled' HTTP/2 on your server, which by default generates 'strict' cipher suites, making a lot of devices unable to connect, check SSL labs for some useful info about your configuration > https://www.ssllabs.com/ssltest/analyze.html?d=www.bioaustria.at

You might also want to read more on the issue on this thread > https://talk.plesk.com/threads/nginx-http-2-support-cipher-problems.337707/

To sum up, a solution would be to change your cipher list, you can use this in your /etc/nginx/conf.d/ssl.conf to enable support for 'most' devices
Code:
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AEAES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
Last edited:
Hi, @Heppi75!

Glad you solved your issue, but.... which of the many suggestions of https://talk.plesk.com/threads/nginx-http-2-support-cipher-problems.337707/ have you adopted?

Personally I find wisdom in @trialotto answer, i.e. "not lower TLS versions in the case that HTTP/2 support is enabled".

I'm not an expert in the matter, but it seems to be logical that if you enable HTTP/2 you want it to behave like it is expected and not use TLS < 1.2 (or just use good old HTTP/1.1).

I'm anyway very open to be corrected on this point of view...

 
hi, sergio

I only adapted the ssl_ciphers settings this way:
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
 
Now I can reach it, but I see HTTP/1.1 is used (see attached request and response snapshots...)
 

Attachments

  • request.png
    request.png
    17.9 KB · Views: 6
  • response.png
    response.png
    19 KB · Views: 6
... but on the other hand, when accessing from Firefox I see HTTP/2 is used, so apparently you have found and used the magic combination of ciphers that allows you to use HTTP/2 if supported by the browser or HTTP/1.1 if not... ;)

It would be nice if someone with more experience than I have in this kind of things would confirm that this is OK...

P.S.: and https://www.ssllabs.com/ssltest/analyze.html?d=www.bioaustria.at says that you can exchange keys and be seen by everybody except IE6/XP, IE8/XP, Java 6 and Android 2.3.7
 
Last edited:
@Sergio Manzi, @Heppi75,

The site opens normally for me as well (Windows 10, IE 11).

But it seems you have 'enabled' HTTP/2 on your server, which by default generates 'strict' cipher suites, making a lot of devices unable to connect, check SSL labs for some useful info about your configuration > SSL Server Test: www.bioaustria.at (Powered by Qualys SSL Labs)

You might also want to read more on the issue on this thread > Resolved - nginx HTTP/2 support cipher problems

To sum up, a solution would be to change your cipher list, you can use this in your /etc/nginx/conf.d/ssl.conf to enable support for 'most' devices
Code:
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AEAES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
You saved my day in the end of 2020 :)
 
Back
Top