Issue Hostname and subscription with same domain name - SSL issues

[Andrea Bampi]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.73 #3

Hello,
I recently activated 3 different servers, all with U22.04 and Plesk 18.0.73.
I have several other servers with older Plesk versions and I'm used to create as first subscription a "welcome page site" with the same domain name as the hostname.
For example, server28.xxxxx.it
I have no issues accessing Plesk via https using https://server28.xxxxx.it:8443 but I can't find a way to make any SSL certificate work on the welcome page (without :8443).
The default behavior of the server is redirecting to the Plesk login page ignoring the subscription (clearlyu something new with this version of Plesk, never worked like that before); when I disable the access to the Panel changing "Customize Plesk Url" setting, I can finally see the welcome page but it works only in http; https gives security error and the installed certificate (checking in the browser) seems to be the default self-signed Plesk certificate.
Note: I installed a Let's Encrypt SSL in the subscription, no errors.
I'm assuming it's no longer allowed to have a subscription domain identical to the server Plesk hostname? Or it's a bug with a working solution?
thanks

 

[scsa20]

So you have server28.domain.tld as a subscription? If so then it makes sense why it would redirect to the plesk default page instead of the plesk login page without the 8443. The proper way is to leave that subdomain out, edit the customize plesk url to be the server28.domain.tld, then go to tools & settings > ssl/tls certificates and enable the "keep plesk secured" which should go through the process of securing it (you might need to clear on the little slider button to set the address and email if it doesn't go through automatically) and there ya go it's set up (if it already works under server28.domain.tld under 8443 with no ssl errors then that last part isn't needed).

 

[Andrea Bampi]

Thanks for the answer, but I absolutely DON'T WANT the Plesk login page to be reachable on server28.domain.tld , that was the whole point.. I think it would be a security issue. I just want to see a "Welcome to the server" static page when users (or bots) try to reach the domain without :8443. Avoiding the standard Plesk blank domain page.

 

[scsa20]

Don't know how it's a security issue as long as you follow best practice for password management. But if you do not want it to go through any host then you can choose "No custom URLs. Only https://<server-IP-or-hostname>:8443" but you will get the security warning because it allows any domain or associated IP address including port 8443 since you're allowing any host names as long as they go to port 8443. Then make sure the default site for the IP address points to whichever the default site you want it to go to, etc., etc., etc.

 

[afuego]

Hi Andrea,

I created a custom redirect in /etc/sw-cp-server/conf.d/z-plesk.inc to force login only through hostname:8443

# cat /etc/sw-cp-server/conf.d/z-plesk.inc
if ($host !~ 'hostname|127.0.0.1'){
rewrite ^/(.*)$ https://hostname:8443/$1 permanent;

Restart sw-cp-server

#systemctl restart sw-cp-server

IMPORTANT: If you need to use the Plesk Migration Tool and use this as the source you have to restore the original configuration back or you will get this type of error message.

Failed to check Plesk API connection to target Plesk server: HTTP request to 'https://192.168.0.27:8443/enterprise/control/agent.php' failed with 301 code.
Response text:
b'<html>\r\n<head><title>301 Moved Permanently</title></head>\r\n<body>\r\n<center><h1>301 Moved Permanently</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n'

 

[Andrea Bampi]

Thanks guys.
But my issue right now is just the SSL certificate on the Welcome page at https://server28.xxxxx.it (no port specified). The login page is already reachable only when port 8443 is specified, so I already solved that issue (just "disabling" the "Customize URL" option). And the SSL certificate works as intended, BUT ONLY WITH THE 8443 PORT SPECIFIED.
I can't seem to find the right combination of options to make the SSL work on the public Welcome page, that's it. The Welcome page in plain http is reachable and working.

 

[afuego]

You need to change server hostname if you want to use hostname to host files. Can’t have it both ways!

So you either use hostname to login or to host sites. In scenerios i want to use a domain to host files but want to use it for login to control panel, i add cp subdomain to hostname so i can have that domain for hosting.

New server hostname cp.server28.xxxx.it
New subscription in plesk server28.xxxx.it

Hope this helps!

 

[Andrea Bampi]

You need to change server hostname if you want to use hostname to host files. Can’t have it both ways!

So you either use hostname to login or to host sites. In scenerios i want to use a domain to host files but want to use it for login to control panel, i add cp subdomain to hostname so i can have that domain for hosting.

New server hostname cp.server28.xxxx.it
New subscription in plesk server28.xxxx.it

Hope this helps!

Ok thanks, this is the answer I was looking for.
Just to be clear: this is a "recent" limitation. I have 10 servers running Plesk 17 and 18 (up to 18.0.71) and ALL servers have a perfectly working "Welcome page" with the same domain as the server hostname, managed as a normal subscription with its own separate SSL certificate.
Three other servers have Plesk 18.0.72 or 73 and the "trick" doesn't work anymore.
Something apparently changed in the 0.72, but I can't find anything in the changelog. I remember seeing an option to allow access to the login page WITHOUT PORT 8443 in the first page of the installation procedure (never seen before), but it's gone now (installed a brand new Plesk just a couple of days ago, 18.0.73#3).
BTW, on the new servers, as a workaround, I created subscriptions with domains like xxxxhome.yyyy.it with xxxx.yyyy.it as the server hostname. Similar to your solution but the other way around. Seems like a bug to me, anyway. Especially since everything worked like a charm with older versions.