• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved SSL certificate problem only in IE

H

Heppi75

Basic Pleskian
hi,

I have problem with the SSL cert only in internet explorer.

I am running centOS 7 with plesk 12.5.30 (latest build). could anyone help why only the internet explorer is not working correct with the cert?

here is the url - I tried it in internet explorer 11 - with the message that I should check the TLS settings:

https://www.bioaustria.at/

maybe someone could help me please!
 
Last edited:
Hi,
I just visited your site in Edge and IE with no error, are you still having the issue? If so try to clear your browser cache.
Kind regards

Lloyd
 
No, I can't access it (Win8.1/IE11)

... and there is a curious error page (see attached screen capture).

... but the error in the error page seems to be a local IE11 thing...
 

Attachments

  • capture.png
    capture.png
    19.9 KB · Views: 6
Last edited:
@Sergio Manzi, @Heppi75,

The site opens normally for me as well (Windows 10, IE 11).

But it seems you have 'enabled' HTTP/2 on your server, which by default generates 'strict' cipher suites, making a lot of devices unable to connect, check SSL labs for some useful info about your configuration > https://www.ssllabs.com/ssltest/analyze.html?d=www.bioaustria.at

You might also want to read more on the issue on this thread > https://talk.plesk.com/threads/nginx-http-2-support-cipher-problems.337707/

To sum up, a solution would be to change your cipher list, you can use this in your /etc/nginx/conf.d/ssl.conf to enable support for 'most' devices
Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AEAES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
Last edited:
Hi, @Heppi75!

Glad you solved your issue, but.... which of the many suggestions of https://talk.plesk.com/threads/nginx-http-2-support-cipher-problems.337707/ have you adopted?

Personally I find wisdom in @trialotto answer, i.e. "not lower TLS versions in the case that HTTP/2 support is enabled".

I'm not an expert in the matter, but it seems to be logical that if you enable HTTP/2 you want it to behave like it is expected and not use TLS < 1.2 (or just use good old HTTP/1.1).

I'm anyway very open to be corrected on this point of view...

 
hi, sergio

I only adapted the ssl_ciphers settings this way:
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
 
Now I can reach it, but I see HTTP/1.1 is used (see attached request and response snapshots...)
 

Attachments

  • request.png
    request.png
    17.9 KB · Views: 6
  • response.png
    response.png
    19 KB · Views: 6
... but on the other hand, when accessing from Firefox I see HTTP/2 is used, so apparently you have found and used the magic combination of ciphers that allows you to use HTTP/2 if supported by the browser or HTTP/1.1 if not... ;)

It would be nice if someone with more experience than I have in this kind of things would confirm that this is OK...

P.S.: and https://www.ssllabs.com/ssltest/analyze.html?d=www.bioaustria.at says that you can exchange keys and be seen by everybody except IE6/XP, IE8/XP, Java 6 and Android 2.3.7
 
Last edited:
urki said:
@Sergio Manzi, @Heppi75,

The site opens normally for me as well (Windows 10, IE 11).

But it seems you have 'enabled' HTTP/2 on your server, which by default generates 'strict' cipher suites, making a lot of devices unable to connect, check SSL labs for some useful info about your configuration > SSL Server Test: www.bioaustria.at (Powered by Qualys SSL Labs)

You might also want to read more on the issue on this thread > Resolved - nginx HTTP/2 support cipher problems

To sum up, a solution would be to change your cipher list, you can use this in your /etc/nginx/conf.d/ssl.conf to enable support for 'most' devices
Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AEAES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Click to expand...
You saved my day in the end of 2020 :)
 
You must log in or register to reply here.

Similar threads

C
Resolved Plesk mail SSL certificates invalid, common name problems (websites fine)
Replies
4
Views
628
Chucky_213123
C
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
546
Polli
Polli
S
Issue ssl certificate error
Replies
1
Views
630
Sebahat.hadzhi
Sebahat.hadzhi
R
Issue Problems Issuing a Let's Encrypt Certificate
Replies
6
Views
908
Robin McDermott
R
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
2K
tessa67
T
Back
Top