• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs SSL It! - Preset "modern" will break your Apache templates on Ubuntu 20.04.2 with Plesk 18.0.35

Nextgen-Networks

Nextgen-Networks

Basic Pleskian
Username: Nextgen-Networks

TITLE

SSL It! - Preset "modern" will break your Apache templates on Ubuntu 20.04.2 with Plesk 18.0.35

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.35
Ubuntu 20.04.2
x64

PROBLEM DESCRIPTION

"Modern" Ciphers in Plesk SSL-it extension lead to broken Apache config templates.
This results to not starting Apache service.
Postfix service could be started manually only.

I got a working config again by changing the "Applied preset" in "TLS versions and ciphers by Mozilla" within Plesk SSL-it extension back to "Intermediate (recommended)" and afterwards using the "Webserver Configurations Troubleshooter" and select "Rebuild" -> "All".

STEPS TO REPRODUCE

Changing the "Applied preset" in "TLS versions and ciphers by Mozilla" within Plesk SSL-it extension to "modern" leads to broken Apache template config as soon as you renew (sub)domain with that setting.

Using the "Webserver Configurations Troubleshooter" and select "Rebuild" -> "All" to solve the template issue results in errors for every other Apache template in the Server.

In general the server does not start Apace if one or more Apace templates are not valid.
This results in a complete not working webserver.

ACTUAL RESULT

All websites on server are not working because Apache service is not startet.

EXPECTED RESULT

TLS versions and ciphers by Mozilla via SSL-It! is beeing applied to websites/domains/services as it has been in the past on Ubuntu 16.04.x and 18.04.x with Plesk.

ANY ADDITIONAL INFORMATION

Apache error_log states there are problems that mod_ssl could not be started
[Thu Apr 29 11:10:47.582979 2021] [ssl:emerg] [pid 10064] AH02311: Fatal error initialising mod_ssl, exiting. See /var/www/vhosts/system/DOMAIN-NAME-HIDDEN/logs/error_log for more information
AH00016: Configuration Failed
Click to expand...

Repair Apache templates via Webserver Configurations Troubleshooter was not successful.

Repair Plesk via Repair-Kit (GUI and also CLI) has also not solved the issues.

Server was completely restarted between every repair step.

Deleting all subscriptions and customer data and re-run the repair steps mentioned above does not solve the Apache issues but created a new set of error messages in the Apache error_log:
[Thu Apr 29 11:22:25.035892 2021] [ssl:emerg] [pid 430] AH01898: Unable to configure permitted SSL ciphers
[Thu Apr 29 11:22:25.133187 2021] [ssl:emerg] [pid 430] SSL Library Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
[Thu Apr 29 11:22:25.208004 2021] [ssl:emerg] [pid 430] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed
Click to expand...

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Thank you.
Confirmed bugreport PPPM-12964 was filled.
Root cause: Apache handles the SSLCipherSuite Directive in different ways depends on the `PROTOCOL` arg so sslmng should write it in a different way as well.
 
@IgorG can you please update us?
Have not seen a possible solution in changelog of 18.0.35 MU2 as well as 18.0.36 - is there any schedule?

Thanks! :)

BR Ralf
 
Ok, had much trouble the past 2 days with sending e-mails and facing SMTP errors while sending e-mails.
Symptoms could not be found for all users - some where able to send with the same mailbox where other where not able to send.
Only difference: mail-client, ip-type & address (v4 & v6)

Found out - after massive investigation - that they seem to be caused by SSL errors ...

Long story short: Rollback the posted workaround setting to modern fixed my issues!
Additional profit: Also webserver-templates seem to be created correctly with modern ciphers again! *yay*

Possible cause:
"Medium ciphers (v5.0)" were not compatible anymore with latest postfix/dovecot updates rolled out with Plesk 18.0.37 mu1 or mu2 update.
As soon as you apply latest "modern ciphers" you'll realize they shop different versions e.g. apache/dovecot/posfix/...

Are you affected by this?
Check for errors like these:
  • Dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
  • postfix/smtpd: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46:
  • postfix/smtpd: SSL_accept error from unknown[IPaddressOFmailUSER]: -1
@plesk-Team:
Who should I do contact to receive my paycheck for the crazy troubleshooting efforts made until now to investigate problems caused by Plesk and investigated by users? ...

1629282689191.png
 
... ok, one more thing:
Internal (Roundcube) Webmail provided by Plesk itself seems to be broken after changing back to modern ciphers ...
1629287404331.png
Also tried to recreate the nginx Webmail config within configurations-troubleshooter but it changed nothing ...

... Plesk-Team what did you do? ... and why?!
 
Well. Let me clarify the situation. The initial issue has been fixed in Plesk 18.0.36 as:
Apache now runs if it is configured with TLS 1.3 ciphers only. (PPPM-12964)
Click to expand...
Perhaps there is still some error that we could not reproduce according to the description provided. Here I suggest going through one of two options:

a) contact Plesk Support Team to investigate the problem directly on your server.
b) update the problem reproduction description (STR) on the server with the fix of PPPM-12964. If reproduced, then start a new Report on this new problem.
 
Hi Igor,

thanks for your Update of this topic and thanks for pointing out that the original issue was solved with Plesk 18.0.36 on June 6th 2021.

... but why was there no update to this forum thread that is or should have been solved?
... and why is there an statement on June 21st that there are no news about this and that the thread will be updated as soon as they are available?

I really don't know what to think about this communication ...

... to come back to the original core of the topic: I've installed Plesk 18.0.37 therefore the mentioned fix should have been applied already. So the original problem seems to be solved.
I'll create a new Report for the webmail issue.
 
You must log in or register to reply here.

Similar threads

Nextgen-Networks
  • Locked
Broken Plesk install / Apache Templates by Plesk Migrator (Ubuntu 16.04.7 to 20.04.2)
Replies
3
Views
2K
Nextgen-Networks
Nextgen-Networks
UHolthausen
Resolved Apache down
Replies
2
Views
3K
UHolthausen
UHolthausen
Edward Dekker
  • Poll
Input Make your server more PCI compliant and update your TLS/Ciphersuites
Replies
2
Views
2K
Edward Dekker
Edward Dekker
Back
Top