Turning NGINX on breaks SSL Chain

[AlexanderP]

I came along a strange issue after replacing the current SSL Cert with a new one. If NGINX is turned on, it breaks my chain of trust since the intermediate is not delivered (correctly?), I checked manually and with some tools but I can't get it to work proper. I can turn NGINX on and off and it works or not, so it must be some issue with NGINX but I have no idea what it might be. Any ideas?

 

[abdi]

Alexander, do you mind sharing that tool you are using to validate your SSL chain. This is because I am using the default Nginx installation as proxy on Plesk 11 but I have not a problem with the SSL certificate for 3 of my tested domain names.

However, just a question, before the replacement of the SSL was everything OK?

 

[AlexanderP]

I used the rapidSSL own one and i checked with another one I found via google (http://www.sslshopper.com/ssl-checker.html), both showed the same result -> chain broken. Also chrome showed a red lock and error since without intermediate it doesn't know rapidssl ca.

The problem happened after replacing the Comodo Cert with a Rapidssl Cert, well basicly it just looked ok in Chrome before and was failing in Firefox, now it's vice versa if nginx is turned on. Very strange at all.

 

[abdi]

Try this: (its the default installation and it works fine)

http://www.sslshopper.com/ssl-checker.html#hostname=secure.jolis.net

However, in your case please give me your domain name, it could be something small and try to regenerate the vhosts with /usr/local/psa/admin/sbin/httpdmng --reconfigure-all it could help ..

 

[AlexanderP]

Try this: (its the default installation and it works fine)

http://www.sslshopper.com/ssl-checker.html#hostname=secure.jolis.net

However, in your case please give me your domain name, it could be something small and try to regenerate the vhosts with /usr/local/psa/admin/sbin/httpdmng --reconfigure-all it could help ..

I did reconfigure and everything, not working. Here look at this check, you see the difference?

http://www.sslshopper.com/ssl-checker.html#hostname=www.pbt-media.com

This requires a chain to work, yours is directly vertified, if nginx is on this chain is not there and it fails.

 

[abdi]

Seems you have already disabled Nginx ie I am seeing Server Type: Apache and on that page everything is OK and the chain is not broken.

 

[Nikolay.]

AlexanderP, unfortunately currently SSL chains support with nginx in Plesk is broken. At the moment Plesk writes incorrect configuration.

I.e. ssl_client_certificate directive should be removed and certificate file (see ssl_certificate* directives) should contain concatenation of all certificates in the chain, starting with the server certificate, and going deeper in the chain running through all the intermediate certificates. If you're going to do anything with your configuration, make sure you don't break other software that might be using the same certificate file, i.e. create a separate certificate file for nginx.

 

[AlexanderP]

Seems you have already disabled Nginx ie I am seeing Server Type: Apache and on that page everything is OK and the chain is not broken.

Sure I did, I run piwik and other stuff for customers on the domain and can't have it stay broken.

I just turned it quickly on to make a screenshot of the checker with nginx enabled:

 

[AlexanderP]

Thanks for clarify this Nikolay, I hope that Parallels is aware of this and will soon fix this issue.

 

[Mshaker]

The plesk microupdates say that this is fixed as of Parallels Plesk Panel 11.0.9 Update #10. We updated to Update #10 and rebuilt all the config files and this is still broken.

We tested using http://www.sslshopper.com/ssl-checker.html and with nginx enabled it breaks the chain. Mac OSX Lion clients get the ssl error also. Disabling nginx fixes the error.

 

[paulieG]

That would be consistent with the nginx domain templates being unchanged in the last 2 updates.

Its possible that this is fixed elsewhere (ie when SSL certificate data is added), in which case you could try readding the certificates, I doubt this is the case but you never know...

Paul.

 

[Mshaker]

It seems that this bug and even the "PHP pages redirect to port 7080 or 7081 if Nginx is enabled." bug are still not fixed. The microupdate log says that that bug was fixed via Update #9 but I've verified that its still broken. The only workaround for that bug was to follow http://kb.parallels.com/114425.

 

[abdi]

That work-around does not work!! However, there is a thread on this forum with a work-around that works.

 

[Mshaker]

That workaround works for us. The only thing that doesn't work is the SSL chain is still broken when using nginx.

 

[sergius]

The issue has been fixed since 11.0.9 MU#10.

 

[Mshaker]

still broken

Dear Sergius,

I've tested this on two separate servers now who are both on updated to "11.0.9 Update #10" and enabling nginx STILL breaks the SSL chain for all the websites (They are all using RapidSSL certs from enom). Rebuilding the config files using (/usr/local/psa/admin/bin/httpdmng --reconfigure-all) doesn't fix it. The only way to fix it is to switch back to apache using (/usr/local/psa/admin/bin/nginxmng --disable). I verified this by using http://www.sslshopper.com/ssl-checker.html because we started to get support calls that SSL on our sites were not trusted on OSX Lion.

Also another bug not reported yet is that nginx and apache don't share the same way that they use IP addresses. So when you switch between nginx and apache any sites on dedicated IP addresses will change. So if you have any licensed software that communicates with a license server you will have to reissue their license as their IP address is suddenly different.

 

[sergius]

I've tested this on two separate servers now who are both on updated to "11.0.9 Update #10" and enabling nginx STILL breaks the SSL chain for all the websites (They are all using RapidSSL certs from enom).

Could you, please, let us know exact step-by-step scenario how to reproduce? Also we need your real SSL certificate to check the issue.

Please send PM to me or IgorG.

 

[Mshaker]

Dear Sergious,

I have sent you a PM about the issue.

 

[Mshaker]

Just a note that plesk 11.0.9 Update #19 fixes all the ssl and IP address issues that we had with nginx.

 

[M. Piazza]

I can confirm that this issue has seemingly re-appeared again after the latest 11.5 update. I had Plesk Panel 11.0.9 before and never ran into this specific issue, but have noticed however that after the 11.5 major update, with all the new NGINX features etc., this problem for me has re-emerged but "ONLY" does this with older IE8, and also Safari web browser (Firefox, Chrome, and Opera are still just fine).

What's happening here is that after the Parallels Plesk Panel 11.5 update now, with 'NGINX' enabled it will throw SSL errors but to only specific browsers (in my case to IE8 and the latest Safari -- I haven't tested it on IE9 or IE10 yet however, but will soon, just to see), but if I were to simply Disable NGINX from the Plesk panel there, 'voila', the SSL error issue is completely gone, no certificate warnings or anything (and as it's just simply via Apache now).




..... The Warning/Errors are that it's trying to load the basic native backend "Parallels Panel" cert for only certain web browsers:


" Certificate Information

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.

------------------------------

Issued to: Parallels Panel

Issued by: Parallels Panel

Valid from 4/11/2013 to 4/11/2014 "

------------------------------



....So yep, definitely something with NGINX via the Plesk Panel specifically here, and seemingly "ONLY" after the 11.5 update that I had recently done, this specific error came back only after the update