• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

How to set up shared ssl

J

JeremyHattula

New Pleskian
After two days of reading through forums without a clear answer and much experimentation (having almost 0 experience with linux systems, tho i've learned a lot in the the last two days) i came up with a working model for shared ssl on linux. Seeing some others had similar questions and i could not find a clear solutions i'll share what i came up with.

This is on a VPS server running Parallels Plesk Panel v11.0.9_build110120608.16 os_CentOS 6 on CentOS 6.4 (Final)

1. Set up your domain (ie secure.mydomain.com) in the Plesk Panel and associate your ssl certificate with that domain.

2. Go to the php settings for that domain and set the open_basedir param to "." or ".:/tmp" (you MUST include . )

3. Login via shell or vnc and open /var/www/vhosts/secure.mydomain.com/conf/vhost_ssl.conf edit it to:
Code: 
<IfModule mod_suexec.c>
   SuexecUserGroup adminusr psaserv
   #Where adminusr is your primary linux login, not root
</IfModule>
<IfModule mod_userdir.c>
   UserDir /var/www/vhosts/*/sharedssl
   #I use a sharedssl directory for this as explained later you can change this to something else
</IfModule>
<Directory /var/www/vhosts/*/sharedssl>
   Options +Includes +ExecCGI
   AddHandler cgi-script .cgi
   <IfModule mod_fcgi.c>
      <Files ~ (\.php)>
         SetHandler fcgid-script
         FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
         Options +ExecCGI
         allow from all
      </Files>
   </IfModule>
   <IfModule mod_perl.c>
      <Files ~ (\.pl$)>
         SetHandler perl-script
         PerlHandler ModPerl::Registry
         Options ExecCGI
         allow from all
         PerlSendHeader On
      </Files>
   </IfModule>
   <IfModule mod_python.c>
      <Files ~ (\.py$)>
         SetHandler python-program
         PythonHandler mod_python.cgihandler
      </Files>
   </IfModule>
   <IfModule mod_fcgid.c>
      <Files ~ (\.fcgi)>
         SetHandler fcgid-script
         Options +FollowSymLinks +ExecCGI
         allow from all
      </Files>
   </IfModule>
</Directory>

3. From the command line in a terminal run
Code: 
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain secure.mydomain.com
to read your new vhost_ssl.conf (note: i had to delete the backup file vhost_ssl.conf~ using gedit in gnome cause httpdmng was reading that one instead of vhost_ssl.conf)

4. Create a file such as sharedssl.sh with the following code (This is how i made mine you can customize it as you see fit)
Code: 
#!/bin/bash
echo "--------------------" >> /tmp/event_handler.log
/bin/date >> /tmp/event_handler.log
/usr/bin/id >> /tmp/event_handler.log
echo "Domain Created" >> /tmp/event_handler.log
echo "Name: ${1}" >> /tmp/event_handler.log
echo "User: ${2}" >> /tmp/event_handerl.log
#Comment out cp to make a blank directory or comment out mkdir to copy from skeleton
cp -R /var/www/vhosts/.skel/0/httpdocs /var/www/vhosts/${1}/sharedssl
#mkdir /var/www/vhosts/${1}/sharedssl
echo "Directory Created" >> /tmp/event_handler.log
echo "Path: /var/www/vhosts/${1}/sharedssl" >> /tmp/event_handler.log
chown -R ${2}:psaserv /var/www/vhosts/${1}/sharedssl
chmod -R 750 /var/www/vhosts/${1}/sharedssl
echo "chmod 750" >> /tmp/event_handler.log
echo "--------------------" >> /tmp/event_handler.log

5. Back in the Plesk Panel go to Tools & Settings > Event Manager > Add New Event Handler with the following settings
Code: 
Event: Hosting Settings Created
Priority: Normal (50)
User: root
Command: /path/to/sharedssl.sh ${NEW_DOMAIN_NAME} ${NEW_SYSTEM_USER}

6. Restart Apache

Any new hosting plan will have a sharedssl folder that will be available via https://secure.mydomain.com/~customerdomain.com.

Works with everything except fastcgi (will return 500 error). I was apprehensive of using the linux admin as user (still not entirely sure how secure that is) but it was the only way to get around the suexec problem using userdir. As long as you have set open_basedir to "." it will limit PHP file access only to files in the users /sharedssl directory or additional directory specified in open_basedir!

As i said before i have about nill experience with linux systems and not sure this is best way to go but it does work. Any comments or suggestions will be super!
 
You must log in or register to reply here.

Similar threads

E
Issue Urgent :( open_basedir problem
Replies
5
Views
951
manni
M
I
Issue Problems with Open-Basedir and .htaccess (Plesk Obsidian 18.0.68 Web Pro Edition on Debian 12.9)
Replies
3
Views
487
scsa20
scsa20
M
Issue How to update PHP open_basedir and/or httpd.conf server wide?
Replies
9
Views
664
MHC_1
M
Bod
Question Perl on Debian
Replies
4
Views
1K
kpushkarev
K
Bod
Question Upstream Apache directive blocking .htaccess file directives
Replies
5
Views
7K
Bod
Bod
Back
Top