SSL on shared IP

[Vipa]

Hi,

it seems like SSL certificates are not handeled correctly on shared IPs.

I got several domains and one IP, one of my domains is a webshop which needs a working SSL certificate, so up until now I installed this certificate for the IP and it worked. After updating to Plesk 10.0.1 there is another (wrong) certificate installed for the IP which I can't change as it seems. Or better I can change it in plesk and it is shown correctly in plesk, but if i go to the domain another certificate is used...


I have set the certificate under Start > Server Tools > Ip Adresses

If I go to Websites & Domains > Web Hosting Settings of one of the domains using this shared IP, the correct SSL certificate is shown.

But if I go to the domain (by browser https://...) the certificate which is used is a total different one. It is a Plesk generated/expired one.


This one is crucial, as the shop is more or less out of order, as long as the wrong cert is used.

Thanks for your help.


-----------------------------------------------------------------
Plesk, 10.0.1, Linux, Ubuntu 8.04.4, 64bit

 

[Vipa]

No one with any ideas on this one?
Or was I too unclear? If so, please let me know.

 

[ugr|dual]

normally you would need a dedicated ip for ssl to work.

but your approach is ok - have the certificate in plesk (server, not in web hosting!) and assign it to the ip.

make sure you don't have any ssl stuff in the web hosting section.

this way the certificate weill work füpr every domain on the ip. however, only the one it was made for will give no error when used with ssl.

 

[Vipa]

Thx for your reply,
that is exactly what I did.
And it worked on 9.5.3 but on 10.0.1 it isn't working.

Plesk is always using this selfsinged/expired certificate instead of the one I selected for the IP.
And in the webhosting section I can't change the certificate, because there is no dropdown for a domain
on a shared ip, but it shows the certificate I selected for the IP.
So in the admin interface everything looks perfectly fine.
But it still uses the wrong one.

 

[Vipa]

Issue is fixed now.

It was due two files, which haven't been removed during update for some reason.

/etc/apache2/conf.d/zz001_horde_vhost.conf
/etc/apache2/conf.d/zz001_atmail_vhost.conf

removing them and rebuilding configuration totally fixed it.

usr/local/psa/admin/sbin/httpdmng --reconfigure-all

 

[Techforce]

Thank you for posting this, I have same problem. Will try.

 

[oerlemans]

I have same problem but this solution is not working for me.

 

[DiagonalR]

we are getting SSL certificate only for our domain or sub-domain then why IP matters here

 

[HostaHost]

The issue you all might be experiencing is the support in Plesk 10+ for SNI in Apache if the version of Apache installed has that feature. SNI allows a browser to inform the server of what site it plans to request prior to the SSL connection being established. So, in Plesk 10, if you have an SSL installed at the site level on a shared IP, it will only work correctly if you're using an SNI-capable browser. Alternatively, if you've installed an SSL on the shared IP with the intent that it be used for all the sites on that IP, such as a shared SSL, that will not work correctly unless you also install it at the site level and assign it.

If you do the install at the IP level and a browser that doesn't support SNI accesses the site, it will work correctly. However, if you are trying to use unique SSL's on each site and the browser doesn't support SNI, or the server doesn't support SNI, that will never work correctly. Since a lot of older browsers are still out there, you're basically stuck using unique IP's for each unique SSL-based site, for at least probably a couple more years.