Resolved Unable to remove SSL certifate

[presta260]

Hi UFHH01,

Thank you again for everything you do.

I am sorry for the delay but I have some personal issues.

Due to a lack of knowledge, I have some troubles following your solution. Why would I try to redirect each visitors to the The Plesk Control Panel => https://ONE-OF-YOUR-DOMAINS.COM:8443 ?

As you probably know, each visitor get two certificates while visiting our website (domain's certificate + Plesk's certificate). Thanks to you Plesk's certificate is now the same certificate as one of our firstwebsite.com and therefore this one does not have a problem anymore regarding the SSL certificate.
On the other hand, the secondwebsite.com do have a problem of certificate. Visitors get a warning message (not while they are visiting our website because Mozilla Firefox or Google Chrome are able to define the right certificate), but they do receive a warning message only when they receive an email to get their feedback.

To sum up, this problem is very hard to identify since we are not able to see while browsing the website. Recent navigators can define the right certificate and solve the bug automatically. We can identify it either by doing a SSL analyze with the website ssllabs that shows all the certificates related to the website, or in our case with the feedback's email that the website sends automatically.

 

[UFHH01]

Hi presta260,

Why would I try to redirect each visitors to the The Plesk Control Panel

This is just a possibilty, you don't necessarily have to do that.
It is a direct answer to:

Your solution to secure plesk with the bought certificate would work if I only have one domain on the server but I have two domains and therefore I can not "secure plesk" with two different certificates.

... where you are able to redirect all traffic for https://.....:8443 to for example => https://desired_sub-domain.your-MAIN-DOMAIN.com:8443 and you will avoid the case, that https://domainB.com:8443 has a non-valid certificate.

but they do receive a warning message only when they receive an email to get their feedback.

Sorry, I don't understand your description here. Could you provide an example?

 

[presta260]

Hi UFHH01,

Thank you for your answer,

As you can see on www.ssllabs.com I have two certificates on a website.(Certificate bought for the domain + Plesk self-signed certificate).

Your workaround was to use also the bought certificate to secure Plesk. But this fix works for only one domain:

-Firstwebsite.com has two certificate: Certificate A + plesk certificate (which is the same one because I have followed your advice and I have secured Plesk with it, so this fine.)
In other words : Firstwebsite.com = Certificate A + Certificate A

But

-Secondwebsite.com has two certificate: Certificate B + plesk certificate (which is the same as Certificate A)
In other words : Secondwebsite.com = Certificate B + Certificate A

We can notice that by doing an analyze concerning the two websites on www.ssllabs.com. Luckily, recent navigators such as Firefox or Google Chrome don't pay attention to the second added certificate, so visitors would be on a secured website and they won't have any warnings saying that there are some SSL problems. But the truth is that Plesk certificate is added on each domain.

On the website, we have a module that sends automatically an email to customers after they bought something in order to know if they are satisfied (to get their feedback). Unfortunately, they get the warning message by reading the email, saying that the website is not secure since it pays attention to the second certificate added to the website.

This is why I wanted to disable the plesk certificate. But anyway, this is not a big deal.

I very appreciate your help and your time. Plesk should hire you

 

[UFHH01]

Hi presta260,

you kind of misunderstand the SSL Labs check a bit.

What you call "second certificate", is the certificate, which is used to secure the corresponding IP as a standart setting ( setup over HOME > Tools & Settings > IP Addresses > XXX.XXX.XXX.XXX ). This second certificate is not relevant for browsers at all, when they visit your site over a domain - name, hosted on your server, nor would this conflict in any way. Actually, it is not even relevant for SSL Labs, but they still test the certificate as kind of a "reverse check". This IP - based certificate will as well never harm your SSL grade for your ( let's call it REAL ) domain - certificate.

But the truth is that Plesk certificate is added on each domain.

Well NO, this IP - based certificate is not added to any domain on your server. It is added ONCE, over the "server.conf" of your used webserver(s), because each IP itself can only have ONE certificate to be secured.

On the website, we have a module that sends automatically an email to customers after they bought something in order to know if they are satisfied (to get their feedback). Unfortunately, they get the warning message by reading the email, saying that the website is not secure since it pays attention to the second certificate added to the website.

I asked for an example, which I could investigate. Unfortunately, you don't provide something to investigate, so I can't help you here.

 

[presta260]

Hi UFHH01,

Thank you for your answer,

This second certificate is not relevant for browsers at all, when they visit your site over a domain - name, hosted on your server, nor would this conflict in any way.

I would simply invite to use LYNX a text-web browser by using this simple command on a linux shell:

lynx www.geffengros.fr

You will be immediately noticed that there is a SSL problem. Lynx will consider the plesk's certificate as the domain's certificate.

But if you try with the first website which plesk has the same certificate, you will see that there is no problem:

lynx www.geffenstore.fr

I asked for an example, which I could investigate. Unfortunately, you don't provide something to investigate, so I can't help you here.

I did not provide the example because I have secured plesk with the domain's certificate and if I change again with a self-signed certificate you could not verify the commands above.
Once you have use lynx, I would invite you to let me know so I can change Plesk's certificate with a self-signed one.

Thank you so much for your help

 

[UFHH01]

Hi presta260,

trying to reproduce a possible error was not possible with lynx by me. Could you pls. post some screenshots, where YOU experience the described issue/error?

 

[presta260]

Hi UFHH01,

Of course, please see attached 2 screenshots corresponding to the two websites. As you could see in the screenshot firstwebsite.png there is no SSL error. However in the second website you will see the following error:

SSL error:host(www.geffengros.fr)!=cert(www.geffenstore.fr)-Continue? (y)

But again, the certificate is actually corresponding to the plesk's certificate which is the same as www.geffenstore.fr

 

[UFHH01]

Hi presta260,

pls. consider to delete cookies/cache/temporary internet files from lynx, because I couldn't reproduce your issue shown at your screenshots.

 

[presta260]

Hi UFHH01,

In my old version of lynx, it does not keep history, cookies nor cache. But even the first time I have tried, I have received this error this is how I have discovered this bug with lynx.
Maybe in your version, you should activate the option "SSL PROMPTING" by clicking on the letter "O"
Please see attached another screenshot.

 

[Vega80]

In my old version of lynx [...]

Does your old Lynx version support SNI?
If both domains share a common IP and have separate certificates, you need a client with SNI support, else the server will always send the certificate that is associated with its IP addess. This should only be a problem for very outdated browsers (see the handshake simulation in the ssllabs test).

Server Name Indication - Wikipedia

 

[presta260]

Hi Vega80,

It is very satisfying to see people willing to help.

Thank you very much for your explanation, I understand better why I get a SSL error with Lynx and Microsoft Outlook Express which are old clients that does not support SNI.

The subject is now resolved, many thanks to you and many thanks to UFHH01 for your precisions and your time.

Sincere Greeting from France


https://talk.plesk.com/members/ufhh01.148826/
https://talk.plesk.com/members/ufhh01.148826/