Resolved Unable to remove SSL certifate

[presta260]

Hello everybody,

I am aware this is a recurrent problem and I did do a research on the forum and on the Internet but I do believe that I am encountering a special one.

I want to delete a SSL certificate but I can't through Plesk.
When I go to "Tools & Settings" and then "SSL Certificates" I can see a certificate named "test" that I would like to delete. But when I try I get an error since this one is in use (Picture attached 1.JPG) :

Unable to remove SSL certificates.
One of the certificates you are going to delete is used as the Default Certificate.

Then, I have followed the instruction on this website: Unable to remove certificate: One or several certificates are assigned to the IP addresses or domains

I logged into "psa" database and I did retrieved a list of 3 certificate ID :
-2
-14
-19

I use the following command to find the domain and/or the IP address to which the certificate was assigned:

select d.name from domains d inner join hosting h on h.dom_id = d.id where h.certificate_id = ;

The ID number 2 is not assigned to any domain nor IP address (I still don't know if I should delete it)
The ID number 14 is assigned to a website and this one is fine
The ID number 19 is assigned to an IP address ( I would like to delete this ID)

But the problem is that when I go to Tools and Settings > IP Addresses > click on an IP address
I can not unassign the SSL certificate since the option is Grey (see picture 2.JPG)

I guess because I have secured Plesk with this SSL certificate that I can't remove it.
I have also checked on "Websites & Domains" and then "Hosting Settings" and then "Security" The option "not selected" is on all the domains except one which the ID number 14 but like I said above, this one is fine and does not bother me.



Do you have any ideas How could I bypass this problem? I am using Plesk 12.5.30 on a Centos 6.7.

Thank you very much for your help,

Sincerely

Cyril

 

[IgorG]

Try to temporary set ssl_certificate_id to 2 for this ip_address in table IP_Addresses and after that remove this certificate 19.
Or contact Plesk Support Team.

 

[presta260]

Hello Igor, thank you for your answer.
The thing is that I can't set ssl_certificate_id to 2 with Plesk since when I go to Tools and Settings > IP Addresses > click on an IP address I only have the option to choose "test" certificate (which is the id number 19) The ID:2 does not appear (see picture attached 2.JPG).

Is there a way I can do it with SSH command ?

Thank you sincerely for your time

Cyril

 

[IgorG]

I meant updating IP_Addresses with corresponding SQL query.
Contact Support Team if you are not familiar with it.

 

[presta260]

Thank you for your quick answer.

I have updated manually through MySQL the IP_Addresses with the ID number 2 and effectively, it does not appear in use anymore in the section "Tools & Settings" -> "SSL Certificates"
But I still can't delete it, I receive the following error (See attached 3.jpg):

Unable to remove SSL certificates.
One of the certificates you are going to delete is used as the Default Certificate.

Do you have any idea how to delete it with this new error ? Or do you know where I can contact plesk ?

Thank you again for your great help

 

[UFHH01]

Hi presta260,

pls. note, that you might have choosen the specific certificate as well for your corresponding IP. Pls. check as well: "Home > Tools & Settings > IP Addresses > YOUR-IP-ADDRESS AS XXX.XXX.XXX.XXX".

 

[presta260]

Hello UFHH01 and thank you for your help,

The IP adress does not appear in : Home > Tools & Settings > IP Addresses > YOUR-IP-ADDRESS AS XXX.XXX.XXX.XXX"
since I have modified it manually with phpMyAdmin.

What I would like to do is to delete plesk"s SSL certificate and leave plesk with no certificate. In others words, plesk would have no certificate but the domain would have one.

The reason is because on the website, visitors get sometimes the wrong certificate. They get the plesk auto-signed certificate instead the one I have bought. But the strange part, is that not all the times. That is why I wanted to delete it.

I have read on the forum that I need to comment out every *.conf files in the directory /etc/httpd/conf.d/ which have the following code:

<VirtualHost _default_:443>
...
</VirtualHost>

It appears that I have 2 files which have this code: "ssl.conf" and "ssl.conf.rpmnew" . I have made sure to comment out the whole section. I even deleted this whole section on thoses 2 files, I have rebooted the server, but the problem is still here..

Do you know how could I fix this problem ?

Thank you sincerely for your help.

 

[UFHH01]

Hi presta260,

Do you know how could I fix this problem ?

First, pls. don't mess around in your psa - database, if you are unsure about the consequences. It is really hard and time - investing to repair a manual edited psa - database and should ONLY be done by experienced system - administrators in order to avoid issues/errors/problems.

The IP adress does not appear in : Home > Tools & Settings > IP Addresses > YOUR-IP-ADDRESS AS XXX.XXX.XXX.XXX"
since I have modified it manually with phpMyAdmin.

Pls. either use the "REREAD" - button over your Plesk Control Panel, or use the command line, to reread your IP - addresses ( as user "root" over SSH ), which are configured on your server:

plesk bin ipmanage --reread

Afterwards, pls. go back to your Plesk Control Panel and investigate, if your IP address is now displayed correctly.

What I would like to do is to delete plesk"s SSL certificate and leave plesk with no certificate. In others words, plesk would have no certificate but the domain would have one.

The reason is because on the website, visitors get sometimes the wrong certificate. They get the plesk auto-signed certificate instead the one I have bought. But the strange part, is that not all the times. That is why I wanted to delete it.

There is no need to mess around with the apache - configuration files. Pls. use the Plesk Control Panel to delete a "default" certificate and consider to install a new ( valid ) one at: => HOME > Tools & Settings > SSL/TLS Certificates > Add

 

[presta260]

Hi UFHH01, and thank you for your well detailed answer.

I am sorry, I did not explain myself correctly.
I wanted to delete a certificate and it appears that the certificate is in use in IP_Address. When I go to Home > Tools & Settings > IP Addresses > I can not disable the certificate because it is in use.
IgorG told me to update it manually with corresponding SQL query. I have updated it and now the certificate is not in use (see file attached 4.jpg) but I still can't delete it because plesk is using it to secure plesk. I guess we can not use plesk without a certificate.
I have put everything like before, exactly like I have never touched it.

But the problem is still here, visitors get the plesk certificate on some pages on the website. I have also noticed that If I go to https://mywebsite.com I have the correct certificate, but if I try with lynx : lynx https://www.mywebsite.com Lynx shows me a warning that this website uses the plesk's certificate, which is auto-signed and not the correct one.

I have read on this website:
Wrong certificate is shown for my domain in the browser
That sometimes the file ssl.conf overrides the plesk configuration's file, I guess this is where the problem comes from.
But the solution does not work with me.

 

[UFHH01]

Hi presta260,

you might like some additional informations:

apache ( nginx ) are used for your hosted domains on your server ( i.e: YOUR-DOMAIN.COM ), while Plesk uses it's very own webserver for the Plesk Control panel ( sw-cp-server ).
While users will use the ports 80/443 ( 7080/7081 ) for your webserver ( apache + nginx ), the Plesk Control Panel is configured on port 8443 ( https ) and 8880 ( http ).


IF you desire to change the "default" certificate for the Plesk Control Panel, you have to configure that over "HOME > Tools & Settings > SSL/TLS Certificates".
The option "no certificate" for your Plesk Control Panel is not possible, because the port 8443 is a SECURE HTTPS - connection, which needs a certificate - but you still have the choice to use the NON-HTTPS port 8880, if you desire a connection without SSL - security.

 

[presta260]

Hi UFHH01,

Thank you for those additional informations and for your time. I understand better why I can not use plesk with no certificate since the port 8443 is by itselft a secure https connection.

But my problem is that some visitors gets the wrong SSL certificate on some pages of my website. They get the PLESK auto-signed certificate instead of the one I have bought, and I don't understand why.
My problem is not actually solved and some customers may be afraid when they receive this warning message.

 

[UFHH01]

Hi presta260,

you stated:

They get the PLESK auto-signed certificate instead of the one I have bought

Did you buy a certificate issued for YOUR-DOMAIN.COM and WWW.YOUR-DOMAIN.COM, or is it a wildcard certificate ( issued for *.YOUR-DOMAIN.COM )?
Did you add the BOUGHT certificate ( as already suggested ) over the Plesk Control Panel at "HOME > Tools & Settings > SSL/TLS Certificates" and changed the new certificate to be the DEFAULT one?
Did you afterwards SECURE the Plesk Control Panel with your new certificate?

Which URL do your customers use?
Did you consider to redirect all traffic for your Plesk Control Panel to a specific URL, in order to make sure, that your certificate is valid for every visitor using port 8443 ?

 

[presta260]

Hi UFHH01,

First I would like to say thank you for all the efforts you are putting to solve this problem.

I am sorry for the delay but I have some personal issues.

The certificate is issued for WWW.YOUR-DOMAIN.COM and it is bought directly from the host provider. I have added the certificate over the Plesk Control Panel at:
Websites & Domains > SSL Certificates concerning my-domain.com

and then I have checked the SSL support box at:
Websites & Domains > Hosting Settings > Security concerning my-domain.com

I did not add it over the Plesk Control Panel at "HOME > Tools & Settings > SSL/TLS Certificates" and changed it to be the DEFAULT one.

It is hard to explain, but if a customers goes to the website directly the certificate is fine. But when they receive an email to get their feedback , they get it with the Plesk Self-signed certificate.
Here is another example, if you try to select all the website and past it on Microsoft FrontPage, or Microsoft Outlook in a new email or whatever program to import and edit HTML pages , they inform you that the website use the Plesk Self-signed certificate.

Also, if you try "lynx my-domain.com" lynx inform you that the website use the Plesk Self-signed certificate..

I would invite you to check it directly with the url: www.geffengros.fr

Thank you for your help

 

[UFHH01]

Hi presta260,

now that you provided the FQDN, I am able to point you directly to your issue / root cause:

Let's see some investigations:

=> SSL Server Test: www.geffengros.fr (Powered by Qualys SSL Labs)

( pls. OPEN/EXPAND all the possible "+" options, to see all results! )​

As you can see, the "test.com" - certificate is used as certificate for your IP, which points again to my suggestion at

Did you add the BOUGHT certificate ( as already suggested ) over the Plesk Control Panel at "HOME > Tools & Settings > SSL/TLS Certificates" and changed the new certificate to be the DEFAULT one?

 

[presta260]

Hi UFHH01,

Thank you for sharing this great website.

To answer your question:

Hi presta260,


Did you add the BOUGHT certificate ( as already suggested ) over the Plesk Control Panel at "HOME > Tools & Settings > SSL/TLS Certificates" and changed the new certificate to be the DEFAULT one?

I did not add the bought certificate at HOME > Tools & Settings > SSL/TLS Certificates"

The certificate "test.com" is a new one that I have created directly from this section HOME > Tools & Settings > SSL/TLS Certificates by clicking the "ADD" button. And I have indeed deleted the first one. In others words, the certificate "test.com" is the default one that secures plesk. This is why I have tried to delete it at the beginning of this post.


For my personal knowledge, I can see on the SSL test that I have two certificates regarding the website, but I have some problem to find that the certificate "test.com" is used as certificate for my IP.

Thank you so much for your time

 

[UFHH01]

Hi presta260,

you will find the IP - specific used certificates at: HOME > Tools & Settings > IP Addresses > YOUR-IP-ADDRESS_as_for_example_XXX.XXX.XXX.XXX

To finally SOLVE your current issue, pls. consider to follow the above suggestions.

 

[presta260]

Hi UFHH01,

I tried to remove the IP Address at HOME > Tools & Settings > IP Addresses > by clicking on the "Remove" button and I get the following error (please see 5.jpg)

Error: Cannot remove the IP address 213.0.113.25 because it is used by an active session. The IP address 213.0.113.25 is already used for hosting. Cannot remove the IP address 213.0.113.25 because it is the primary IP address of a network interface. Cannot remove the IP address 213.0.113.25 because it is the last IP address present on a network interface.

Then I tried then to deactivate the SSL certificate for the IP Address at HOME > Tools & Settings > IP Addresses > 213.0.113.25 but I can't I only have one choice (please see 6.jpg)

I can change it manually with phpMyAdmin by modiying the ip_address in table IP_Addresses but it will not solve the problem.

Anyway, I do not want to bother you with this, I am really grateful for the times and the patience you spent trying to solve this problem.

 

[UFHH01]

Hi presta260,

I tried to remove the IP Address at HOME > Tools & Settings > IP Addresses > by clicking on the "Remove" button and I get the following error

Could you pls. explain, WHY you would like to remove an IP address???

The suggestions are:

1. ADD the ( bought ) certificate at => HOME > Tools & Settings > SSL/TLS Certificates

2. Make the ( new ) certificate the DEFAULT one

3. Secure your Plesk Control Panel with the ( new ) certificate

4. Change the certificate from "test" to "NEW-NAME-OF-THE-JUST-CREATED-CERTIFICATE" at => HOME > Tools & Settings > IP Addresses > 213.0.113.25

5. Go back to => HOME > Tools & Settings > SSL/TLS Certificates and DELETE the certificate "test".​

 

[presta260]

Hi UFHH01,

Thank you for your great explanation.

Your solution to secure plesk with the bought certificate would work if I only have one domain on the server but I have two domains and therefore I can not "secure plesk" with two different certificates.

For example:

Let say I have added a bought certificate for Firstwebsite.com at => HOME > Tools & Settings > SSL/TLS Certificates and made it the default one and I have secured Plesk with it.


-Firstwebsite.com would have the certificate bought for Firstwebsite.com and the Plesk certificate. But because Plesk's certificate is the same certificate, this solution works perfectly for this website.

-Secondwebsite.com would have the certificate bought for Secondwebsite.com and the Plesk's certificate. But because plesk's certificate is the same certificate as Firstwebsite.com , I would have a problem of SSL certificate on this website.

I hope I made it clear on this exemple

 

[UFHH01]

Hi presta260,

as you probably know, there is ( mostly ) always a solution for each issue/problem:

The Plesk Control Panel is reachable over port "8443" for each of your hosted domains on your server and because the Plesk Control Panel uses it's very own webserver ( sw-cp-server ), you are able to redirect each visitor, who uses the port "8843" to => https://ONE-OF-YOUR-DOMAINS.COM:8443 if you follow the Plesk - KB - article:

=> How to change Plesk redirect URL​