• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved [SOLVED] Problem with SSL Settings

X

X00LA

New Pleskian
Hello,

I'm new in Plesk and I got some problems to get https working right.
My certs working fine but I want to enable session caching, forward secrecy and custom DH parameters. I searched the last days and tested many different solutions, but I always get errors and the activation failed.
When I change the template files in /usr/local/psa/admin/conf/templates/custom/domain the settings will appear in the generated configs, but does'nt get activated.
I test the configs with ssllabs.com/ssltest but I got always the same result.
I changed the settings to enable caching, when I want to enable it, apache crashes.
When I change the settings for forward secrecy, nothing will happen. The settings appear in the generated configs but they did'nt get activated.
I added the dhparams to my cert file, but there is no change in the result of the ssltest.
It's a pain to get some things working in Plesk. That's not what I had imagined as I switched to it.

I hope someone can help me with this problems.

I use Ubuntu 14.04, Apache 2.4.7, OpenSSL 1.0.2g.

Thank's
 
Hi X00LA,
the templates you need to edit for domains are...

Domains
/opt/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
/opt/psa/admin/conf/templates/custom/server/nginxVhosts.php

Webmail
/opt/psa/admin/conf/templates/custom/nginxWebmailPartial.php

DHParam: I find it better to create a file and add the directive to the templates.
Code: 
ssl_dhparam                 /etc/ssl/dh/RSA2048.pem;

Session Cache: can be set in the templates too..
Code: 
ssl_session_cache                  shared:SSL:5m;
Ciphers (from Qualys):
Code: 
ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;


As for Apache, I just edit...

/etc/apache2/mods-available/ssl.conf
Code: 
    SSLProtocol all -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

And restart apache, and regenerate domain config...
/opt/psa/admin/bin/httpdmng--reconfigure-all
Click to expand...


From there you can add OCSP (in Additional Nginx Directives), HSTS and HPKP (in Additional HTTPS Directives) on a per domain basis.
Any other questions post away and I'll be happy to help.
Regards

Lloyd
 
Hi Loyd,

thank you for your help.
Now it works like it should.
This answer safes me many hours. I was dump to do not ask earlier here.

A "BIG" Thank you!

X00LA
 
You must log in or register to reply here.

Similar threads

Y
Question Issue Implementing Dynamic CORS Headers in Plesk’s Additional NGINX Directives
Replies
1
Views
403
yfain
Y
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
612
Polli
Polli
P
Question Getting X-Forwarded-For IP address from behind a nginx proxy server
Replies
4
Views
2K
philglau
P
J
Issue PHP JIT not enabling with plesk performance booster
Replies
6
Views
3K
JohnWest
J
C
Question SSL certificate location for Prosody import
Replies
7
Views
3K
Kaspar
K
Back
Top