SSL

From Server Knowledge Base
Revision as of 22:07, 5 February 2013 by Rootadminacc (talk | contribs)
Jump to navigationJump to search

As name based virtual hosting doesn't work for SSL as the Host header is part of the encrypted payload, Apache doesn't know which certificate to present.

You need a second IP for a second SSL certificate unless you use SNI (Server Name Indication)

Copying SSL from server to server

If you have an SSL in p12 format, .pfx format or PKCS#12, you may want to go here to find the OpenSSL command to convert it to PEM.

Generate CSR in Plesk

Plesk 9

  • Main Menu - Domains
  • Click the Domain
  • Additional Tools - SSL Certificates
  • Add SSL Certificate
  • Enter the certificate name
  • Fill in the preferences and set the Bits to 2048
  • Click Request
  • Go back to the SSL certificates menu > click the SSL
  • Send the CSR and Private Key to the SSL provider.

Plesk 10

  • Hosting Services - Domains
  • Open in Control Panel for the domain
  • Websites and Domains
  • Secure Your Sites
  • Same steps as Plesk 9 from "Add SSL Certificate"

Ensure you check/do the following

  • Create the following email address to receive the confirmation email as SSL providers have specific requirements: admin@yourdomain (domain name of the SSL)
  • Purchase the SSL with www where possible.

Oops, no RSA or DSA server certificate found for...

Apache SSL error:

Oops, no RSA or DSA server certificate found for “‘www.somedomain.com:0′?!”

/etc/apache2/sites-available/
vim domain.co.ukssl

Add in the following:

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSL Engine On

Google Search of Transferring SSL certificate to new server

Install an SSL certificate into Plesk

  • 1) Ensure you know if it is a Domain, Organizational or Extended SSL before installing.
  • 2) Login to the Plesk Control Panel.
  • 3) Go to Server Management - Tools & Utilities > SSL Certificates > Add SSL Certificate
  • 4) Enter a name for your SSL. This can be anything.
  • 5) Select 2048 from the Bits drop down menu.
  • 6) Enter the domain name that your bought the SSL with. To check if you bought it with or without www copy the Certificate and put it into this.
  • 7) Add in the Private Key, Certificate and just the DomainSSL CA Bundle from here or the OrganizationSSL Root Bundle here ONLY if it is Global Sign.
  • 8) Go to Server Management - Tools & Utilities > Resources - IP Addresses > Click the IP.
  • 9) Set it to Dedicated.
  • 10) Select the SSL Certificate from the dropdown menu
  • 11) Set the Default Site to your website.
  • 12) Then go to Hosting Services - Domains > click Control Panel.
  • 13) Go to the Websites and Domains tab > click the domain itself.
  • 14) Under Security select Enable SSL Support.
  • 15) Check the SSL here. Using this tool as well you can ensure you have a Domain, Organizational or Extended SSL under the Issuer heading. Ensure you have the correct root/CA bundle.

Note: Wildcard SSL's use a Domain SSL CA.

Alternate guide

  • 1) Login to the Plesk Control Panel.
  • 2) Select Domains from the left hand menu.
  • 3) Click on the domain name that the certificate is for - "yourdomain.com".
  • 4) Click on the Certificates menu item.
  • 5) There is a button in the middle of the page labelled Browse. Click Browse and navigate to the location of the certificate (save certificate into .txt) you received.
  • 6) Select it, then select Send File, this will upload and attach the certificate to the corresponding private key.
  • 7) The certificate name will now appear in the list of certificates at the bottom of the page. Click on the name of the certificate in the list.
  • 8) Download the appropriate CA/CA Bundle and paste contents in the CA Certificate box.
  • 9) Click the Send Text button.
  • 10) Now click Up Level from the top right of the screen and choose Setup.
  • 11) At the top of the page, select the SSL Certificate you've installed from the SSL Certificate drop-down menu.
  • 12) Click the Server item from the left hand menu.
  • 13) Click on the Service Management menu item.
  • 14) You now need to Stop and Start the Apache process.

Alternate guide from Digicert

Bundle Intermediate Root CA's

AlphaSSL root intermediate CA
Comodo root intermediate CA

These are Global Signs:

DomainSSL Root Bundle
DomainSSL Root CA
OrganizationSSL Root Bundle
ExtendedSSL Root Bundle

OLD pre-June 2011 OrganizationSSL Root Bundle

Install through command line

This can be used after the SSL has been placed in Plesk within either the Domain or Server SSL section.

Linux:

cd /opt/psa/bin
certificate --assign-cert "CertificateName" -domain yourdomain.com -ip ServerIPAddress

Or:

cd /usr/local/psa/admin/plib/api-cli
certificate.php --assign-cert "CertificateName" -domain yourdomain.com -ip ServerIPAddress

Windows:

CLI guide: http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-win-cli.pdf

cd %plesk_cli%
certificate.exe --assign-cert "CertificateName" -domain yourdomain.com -ip ServerIPAddress

Plesk + CentOS SSL bug

httpd can pick up a Private Key in /etc/httpd/conf.d/ssl.conf potentially from either:

/etc/pki/tls/certs/localhost.crt

or

/etc/pki/tls/private/localhost.key

or another bit below line 68. You can sometimes comment out everything from line 68 and then check if it works on http://sslshopper.com/ssl-checker.html

You can see the original file in the server here: vim etc/httpd/conf.d/ssl.conf

Install SSL in WHM/cPanel

I understand the risks on domain SSL

If a domain is asking "I Understand the Risks" with an SSL, check the Technical Details and what domains it is registered under. Use SSL Checker

If the domain shows as having issues with common name, it is likely the SSL was ordered with the www prefix but installed without or vice versa.

PEM extraction

PKCS/PFK/PFX

Plesk SSL errors

Unable to set the certificate: Unable to put certificate file: Unable to arrange cert file: cp2tempnam failed: filemng failed: filemng: Unable to open file "/var/lock/files/": No such file or directory.

Create the /var/lock/files directory manually and remove entries from the psa database, certificates table.

ERROR: PleskFatalException Up Level

SSLCertificate::check_signs() failed: openssl_x509_checkpurpose() failed:

--------------------------------------------------------------------------------

0: CertificatePropertiesUIPointer.php:454
CertificatePropertiesUIPointer->accessItemEdit(string 'POST', NULL null)
1: CertificatePropertiesUIPointer.php:19
CertificatePropertiesUIPointer->accessItem(string 'POST', NULL null)
2: UIPointer.php:595
UIPointer->access(string 'POST')
3: plesk.php:52

Possible solution for CentOS on Plesk 10.3: http://forum.parallels.com/showthread.php?t=112512
Open SSL Guide: http://php.net/manual/en/book.openssl.php

Above is in the case where SSL issued from GlobalSign through 123-reg.co.uk was trying to install.

Server Name Indication - SNI

Shared SSL Guides (Only for Windows)

- Via Tools and Utilities > Shared SSL [Switch on Shared SSL] for specific domain/subscription
- Go into Subscriptions, click the specific one you switched it on for
- Manage in Control Panel > Websites and Domains tab
- Show Advanced Operations
- Manage each Domain
- [Switch on Shared SSL] under the specific domain/subscription
- Leave virtual directory name as is
- Set httpdocs

http://tutorials.ausweb.com.au/web-hosting/plesk-server-management-windows/managing-shared-ssl.html
http://www.1hostingvision.com/shop/faq.cfm?Action=foundqa&faqid=564&FAQCategoryID=273
http://www.codero.com/knowledge-base/questions/51/__print
http://www.ourshop.com/resources/shared-ssl.html
http://support.hostgator.com/articles/ssl-certificates/ssl-setup-use/how-to-set-up-and-use-your-shared-ssl

SSL Checker messages

SSL doesn't work with www

Checking in SSL Checker if you get "None of the common names in the certificate match the name that was entered. You may receive an error when accessing this site in a web browser."

Go to http://www.sslshopper.com/certificate-decoder.html and enter your Certificate with BEGIN and END. It will show you the common name that it was ordered with. You may need to re-purchase the SSL with www as doing this secures it with and without normally. Buying without may only secure the non www version.

Intermediate/chain/CA incorrect

If you receive "You may need to install an Intermediate/chain certificate to link it to a trusted root certificate." on SSL Checker you need to go to http://www.globalsign.com/support/root-certificate/root-globalsign.php and copy all of that CA into a notepad and then into your domain's SSL section.


Bug: On Plesk 11 for a Wildcard SSL if the CA is not picked or it says it is incorrect when it is the right one, do /opt/psa/admin/bin/nginxmng --disable

SSL Format

SSL on Plesk login

- Tools and Utilities
- SSL Certificates
- Click the checkbox next to the SSL
- Secure the panel

Self-signed certificate

This message relates to the un-trusted connection message that is shown when logging into Plesk or cPanel. The certificate used to secure Plesk/cPanel is self signed and is safe to accept. Please note you will also receive this security warning when accessing the WHM (Web Host Manager) or Virtuozzo Control Panel and Parallels Product Installer pages.

When logging into your server over port 8443, you may be presented with a security warning by the web browser. This is due to the type of certificate being used for added security. There are 2 types of certificates: an Authority Signed certificate and a Self Signed certificate.

Both are the exact same level of security, but a self signed certificate is issued by the hosting company or control panel and needs to be accepted in the users browser. This is because the browser does not recognize the hosting company or control panel as the issuer, whereas it already recognizes established authorities who issue SSL certificates.

In order to access your server over port 8443 you will need to accept the security warning.

SSL Renegotiation

The wrong certificate is shown for my domain in the browser

This page includes other resources which are not secure

This confirms that it is something in your code.

Notes:

With regards to TLS renegotiation, this is a new feature only recently made public. But the majority of servers do not support this so you would need to install it yourself.

Generate CSR

If the SSL certificate doesn't match your private key this suggests that it was ordered with the wrong CSR. we would recommend you to contact the SSL provider.

What an SSL secures

By having a SSL and using Secure HTTP this will encrypt sensitive data while transmitting through the Internet. Phishing is down to the coding of the website, permissions of folders and simply setting poor passwords and is therefore not directly related to HTTPS.

Note that SSL will not be enabled for your entire store but only for the sections where sensitive data is transmitted. This is so because secure connections (HTTPS) are slower than regular connections (HTTP), hence SSL is applied only where it is really needed.

1) Confirm that the SSL Certificate was successfully installed. Look at the website to see when HTTPS activates when on a transactional page where personal information will be transmitted through the Internet.

2) It is normal practice to have only these pages resolving via HTTPS.

3) If you wish to use the HTTPS protocol throughout their website (Magento e.g.), go to the Magento Admin area:-> System -> Configuration -> Web. Enable "Use Secure URLs in Frontend".