• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

understanding SSL for domain

F

fabrizioi

Basic Pleskian
Hi all,

I don't know if is possible but I would like to create a scenario like this:

http://www.mydomain.com - web site
https://www.mydomain.com/backend - web site with my cms/control panel

I would like that only client with the client certificates can access to the https url for this domain (client must install in the browsers the client certificate)

I have the following configuration:
Centos5.4 32bit with plesk 9.3, 3 IP address on a dedicated server.

I have 2 domain and the plesk panel itself on IP address 01
I have another domain "mydomain" on IP address 02
I have enable the ssl option in the web hosting setup for the domain "mydomain".

From my linux office computer I have generated the ssl certificates with openssl, tested it, it work.
From plesk control panel -> mydomain I have uploaded 3 files from the section "upload certificates files" in the following order :

server-key.pem, server-cert.pem, ca-cert.pem

Now if I'm going to: https://www.mydomain.com after some browser alert I can see the plesk https welcome page.

In my mind I was expecting not to see the page because I haven't installed the client certificates in the browser.

Any help about it is very appreciate.

Bye
 
it work

Hi all,

After hard work and configuration I successfully configure the https scenario.

I share this because this is not documented.
This is not a complete how to but can be useful for reference.

In my situation I create the certificates and I'm be the CA for this.

First of all be sure to have an exclusive IP address configured for the domain you want to activate the ssl feature and be sure to have openssl installed.

create a folder for example in /home/myssl

Go to domain-> ssl cert -> add ssl cert
Compile the form at the top of the page and the click the request button.

Plesk generate the server key and the server csr.

Create two files in /home/myssl: server.key, server.csr. Copy past the code from plesk panel to the target files.

Continue to generate the certificates. This links could be valid resource to do this:
http://www.modssl.org/docs/2.8/ssl_faq.html
http://www.vanemery.com/Linux/Apache/apache-SSL.html

Could be nice to sign certificates with sign.sh.
For very strange reason this is not always installed with apache and let me crazy to find and configure it.
This links can be useful to do this
http://www.faqs.org/docs/securing/chap24sec195.html
http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap24sec196.html

Here you can wget the sign.sh working file
http://willert.dk/geek/ssl-make.html

After the certificates are created return to plesk.
Edit the prev certificate and upload server and ca cert.

Now be sure that in webhosting setup the domain have ssl options set to true and that the correct certificate is selected.
Also take a look in the IP address configuration.

At this point we thinks that everything work but is not true.

For some strange reason plesk continue to use the default certificates instead of the certificates called from domain/http.include

Do not try to include it in vhost_ssl.conf this type of directive seems to be not allowed in this file.

Following this kb, http://kb.odin.com/en/939, I think that now everything work.
No. When I'm going to https the domain from the browser the default certificate continue to be used.

After one day of investigation I have found that the default certificate is configured here: /etc/conf.d/*psa_httpd.conf.

The only solution I have found is to specify the correct certificates here, the same of http.include in other words.
After this I must move some directive form /etc/conf.d/ssl.conf (disabled via the kb) to *psa_httpd.conf.

Now I believe that all work, but this is not true.

I found that post data not work with ssl if SSLVerifyClient is set to verify.
Reference: https://issues.apache.org/bugzilla/show_bug.cgi?id=12355

So i need to set SSLVerifyClient to default value in *psa_httpd.conf.

After this I create the domain/vhost_ssl.conf and under the Location directive set SSLVerifyClient to the correct value.
this can be useful for advanced config. http://www.modssl.org/docs/2.8/ssl_howto.html.


Hope this help.

Bye

PS: sorry for my english
 
Hi, thanks for the info. I am trying the same thing. The additional problem I have is that I also want a server certificate installed on the domain, as it is for ecommerce.

Were you able to do this?

Incidently, there is nothing wrong with your English!
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
263
carlsson
carlsson
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
812
deepnpisgah
D
T
Question SSL for mail.domain.com
Replies
1
Views
202
Bitpalast
Bitpalast
W
Issue Problems with changing Domain IP address.
Replies
0
Views
271
wyga
W
nornagest
Question How to secure different access domains for Plesk
Replies
2
Views
1K
Peter Debik
P
Back
Top