Forwarded to devs SSL It! - Preset "modern" will break your Apache templates on Ubuntu 20.04.2 with Plesk 18.0.35

[Nextgen-Networks]

Username: Nextgen-Networks

TITLE

SSL It! - Preset "modern" will break your Apache templates on Ubuntu 20.04.2 with Plesk 18.0.35

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.35
Ubuntu 20.04.2
x64

PROBLEM DESCRIPTION

"Modern" Ciphers in Plesk SSL-it extension lead to broken Apache config templates.
This results to not starting Apache service.
Postfix service could be started manually only.

I got a working config again by changing the "Applied preset" in "TLS versions and ciphers by Mozilla" within Plesk SSL-it extension back to "Intermediate (recommended)" and afterwards using the "Webserver Configurations Troubleshooter" and select "Rebuild" -> "All".

STEPS TO REPRODUCE

Changing the "Applied preset" in "TLS versions and ciphers by Mozilla" within Plesk SSL-it extension to "modern" leads to broken Apache template config as soon as you renew (sub)domain with that setting.

Using the "Webserver Configurations Troubleshooter" and select "Rebuild" -> "All" to solve the template issue results in errors for every other Apache template in the Server.

In general the server does not start Apace if one or more Apace templates are not valid.
This results in a complete not working webserver.

ACTUAL RESULT

All websites on server are not working because Apache service is not startet.

EXPECTED RESULT

TLS versions and ciphers by Mozilla via SSL-It! is beeing applied to websites/domains/services as it has been in the past on Ubuntu 16.04.x and 18.04.x with Plesk.

ANY ADDITIONAL INFORMATION

Apache error_log states there are problems that mod_ssl could not be started

[Thu Apr 29 11:10:47.582979 2021] [ssl:emerg] [pid 10064] AH02311: Fatal error initialising mod_ssl, exiting. See /var/www/vhosts/system/DOMAIN-NAME-HIDDEN/logs/error_log for more information
AH00016: Configuration Failed

Repair Apache templates via Webserver Configurations Troubleshooter was not successful.

Repair Plesk via Repair-Kit (GUI and also CLI) has also not solved the issues.

Server was completely restarted between every repair step.

Deleting all subscriptions and customer data and re-run the repair steps mentioned above does not solve the Apache issues but created a new set of error messages in the Apache error_log:

[Thu Apr 29 11:22:25.035892 2021] [ssl:emerg] [pid 430] AH01898: Unable to configure permitted SSL ciphers
[Thu Apr 29 11:22:25.133187 2021] [ssl:emerg] [pid 430] SSL Library Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
[Thu Apr 29 11:22:25.208004 2021] [ssl:emerg] [pid 430] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[elonisas]

Same issue here on Plesk Obsidian v18.0.35_build1800210416.11 on Debian 10.9

 

[IgorG]

Thank you.
Confirmed bugreport PPPM-12964 was filled.
Root cause: Apache handles the SSLCipherSuite Directive in different ways depends on the `PROTOCOL` arg so sslmng should write it in a different way as well.

 

[groove21]

Hello Igor,

when is this error fixed?

Regards

 

[IgorG]

when is this error fixed?

AFAIK it is planned for the next Plesk update. I hope it will be finally included in this update.

 

[groove21]

Hello Igor,

when is the next update released?

Greetings
groove21

 

[Nextgen-Networks]

@IgorG can you please update us?
Have not seen a possible solution in changelog of 18.0.35 MU2 as well as 18.0.36 - is there any schedule?

Thanks!

BR Ralf

 

[groove21]

@IgorG : Could you please provide an update?

 

[IgorG]

@IgorG : Could you please provide an update?

There is no news yet. I will update the thread as soon as they appear.

 

[mockingbeast]

This absolutely insane. I've about had it with Plesk.

 

[Nextgen-Networks]

Ok, had much trouble the past 2 days with sending e-mails and facing SMTP errors while sending e-mails.
Symptoms could not be found for all users - some where able to send with the same mailbox where other where not able to send.
Only difference: mail-client, ip-type & address (v4 & v6)

Found out - after massive investigation - that they seem to be caused by SSL errors ...

Long story short: Rollback the posted workaround setting to modern fixed my issues!
Additional profit: Also webserver-templates seem to be created correctly with modern ciphers again! *yay*

Possible cause:
"Medium ciphers (v5.0)" were not compatible anymore with latest postfix/dovecot updates rolled out with Plesk 18.0.37 mu1 or mu2 update.
As soon as you apply latest "modern ciphers" you'll realize they shop different versions e.g. apache/dovecot/posfix/...

Are you affected by this?
Check for errors like these:

• Dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
• postfix/smtpd: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46:
• postfix/smtpd: SSL_accept error from unknown[IPaddressOFmailUSER]: -1

@plesk-Team:
Who should I do contact to receive my paycheck for the crazy troubleshooting efforts made until now to investigate problems caused by Plesk and investigated by users? ...

 

[Nextgen-Networks]

... ok, one more thing:
Internal (Roundcube) Webmail provided by Plesk itself seems to be broken after changing back to modern ciphers ...

Also tried to recreate the nginx Webmail config within configurations-troubleshooter but it changed nothing ...

... Plesk-Team what did you do? ... and why?!

 

[IgorG]

Well. Let me clarify the situation. The initial issue has been fixed in Plesk 18.0.36 as:

Apache now runs if it is configured with TLS 1.3 ciphers only. (PPPM-12964)

Perhaps there is still some error that we could not reproduce according to the description provided. Here I suggest going through one of two options:

a) contact Plesk Support Team to investigate the problem directly on your server.
b) update the problem reproduction description (STR) on the server with the fix of PPPM-12964. If reproduced, then start a new Report on this new problem.

 

[Nextgen-Networks]

Hi Igor,

thanks for your Update of this topic and thanks for pointing out that the original issue was solved with Plesk 18.0.36 on June 6th 2021.

... but why was there no update to this forum thread that is or should have been solved?
... and why is there an statement on June 21st that there are no news about this and that the thread will be updated as soon as they are available?

I really don't know what to think about this communication ...

... to come back to the original core of the topic: I've installed Plesk 18.0.37 therefore the mentioned fix should have been applied already. So the original problem seems to be solved.
I'll create a new Report for the webmail issue.