• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

understanding SSL for domain

fabrizioi

Basic Pleskian
Hi all,

I don't know if is possible but I would like to create a scenario like this:

http://www.mydomain.com - web site
https://www.mydomain.com/backend - web site with my cms/control panel

I would like that only client with the client certificates can access to the https url for this domain (client must install in the browsers the client certificate)

I have the following configuration:
Centos5.4 32bit with plesk 9.3, 3 IP address on a dedicated server.

I have 2 domain and the plesk panel itself on IP address 01
I have another domain "mydomain" on IP address 02
I have enable the ssl option in the web hosting setup for the domain "mydomain".

From my linux office computer I have generated the ssl certificates with openssl, tested it, it work.
From plesk control panel -> mydomain I have uploaded 3 files from the section "upload certificates files" in the following order :

server-key.pem, server-cert.pem, ca-cert.pem

Now if I'm going to: https://www.mydomain.com after some browser alert I can see the plesk https welcome page.

In my mind I was expecting not to see the page because I haven't installed the client certificates in the browser.

Any help about it is very appreciate.

Bye
 
it work

Hi all,

After hard work and configuration I successfully configure the https scenario.

I share this because this is not documented.
This is not a complete how to but can be useful for reference.

In my situation I create the certificates and I'm be the CA for this.

First of all be sure to have an exclusive IP address configured for the domain you want to activate the ssl feature and be sure to have openssl installed.

create a folder for example in /home/myssl

Go to domain-> ssl cert -> add ssl cert
Compile the form at the top of the page and the click the request button.

Plesk generate the server key and the server csr.

Create two files in /home/myssl: server.key, server.csr. Copy past the code from plesk panel to the target files.

Continue to generate the certificates. This links could be valid resource to do this:
http://www.modssl.org/docs/2.8/ssl_faq.html
http://www.vanemery.com/Linux/Apache/apache-SSL.html

Could be nice to sign certificates with sign.sh.
For very strange reason this is not always installed with apache and let me crazy to find and configure it.
This links can be useful to do this
http://www.faqs.org/docs/securing/chap24sec195.html
http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap24sec196.html

Here you can wget the sign.sh working file
http://willert.dk/geek/ssl-make.html

After the certificates are created return to plesk.
Edit the prev certificate and upload server and ca cert.

Now be sure that in webhosting setup the domain have ssl options set to true and that the correct certificate is selected.
Also take a look in the IP address configuration.

At this point we thinks that everything work but is not true.

For some strange reason plesk continue to use the default certificates instead of the certificates called from domain/http.include

Do not try to include it in vhost_ssl.conf this type of directive seems to be not allowed in this file.

Following this kb, http://kb.odin.com/en/939, I think that now everything work.
No. When I'm going to https the domain from the browser the default certificate continue to be used.

After one day of investigation I have found that the default certificate is configured here: /etc/conf.d/*psa_httpd.conf.

The only solution I have found is to specify the correct certificates here, the same of http.include in other words.
After this I must move some directive form /etc/conf.d/ssl.conf (disabled via the kb) to *psa_httpd.conf.

Now I believe that all work, but this is not true.

I found that post data not work with ssl if SSLVerifyClient is set to verify.
Reference: https://issues.apache.org/bugzilla/show_bug.cgi?id=12355

So i need to set SSLVerifyClient to default value in *psa_httpd.conf.

After this I create the domain/vhost_ssl.conf and under the Location directive set SSLVerifyClient to the correct value.
this can be useful for advanced config. http://www.modssl.org/docs/2.8/ssl_howto.html.


Hope this help.

Bye

PS: sorry for my english
 
Hi, thanks for the info. I am trying the same thing. The additional problem I have is that I also want a server certificate installed on the domain, as it is for ecommerce.

Were you able to do this?

Incidently, there is nothing wrong with your English!
 
Back
Top