CA Bundle is reported to be installed incorrectly by SSL checker

Created:

2016-12-12 03:43:25 UTC

Modified:

2017-08-08 13:12:59 UTC

0

Was this article helpful?


Have more questions?

Submit a request

CA Bundle is reported to be installed incorrectly by SSL checker

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 12.0 for Linux

Symptoms

  • CA Bundle was installed via Plesk, however thawte.com reports that it was installed incorrectly.
  • Custom path is specified in default configuration templates:
    # grep -ir SSLCACertificateFile /usr/local/psa/admin/conf/templates/

    /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php: SSLCACertificateFile /usr/local/psa/var/certificates/cert-XXXXXX

Cause

Path to a certificate file is permanently set in customized Plesk template for web server configuration files /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php .

Resolution

  1. Find certificate paths in Apache configuration file for a particular domain. CA certificate file path is stored in SSLCACertificateFile variable:
    # grep SSLCACertificateFile /var/www/vhosts/system/example.com/conf/httpd.conf
    SSLCACertificateFile /usr/local/psa/var/certificates/cert-******

By default those templates, when being executed retrieve path of one or the other variable from Plesk database using PHP functions.

However, in this case path to a certificate file was permanently set in the aforementioned template file.

  1. Find the issuer of the CA file:

    openssl x509 -noout -text -in /usr/local/psa/var/certificates/cert-****** | grep -B6 Issue
    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number: 1430746873 (0x554776f9)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, ST=Virginia, L=Herndon, O=Parallels, OU=Parallels Panel, CN=Parallels Panel/emailAddress=info@parallels.com
  2. Make sure that Apache templates store default values:

    # grep -ir SSLCACertificateFile /usr/local/psa/admin/conf/templates/
    /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php: SSLCACertificateFile <?php echo $sslCertificate->caFilePath ?>

    /usr/local/psa/admin/conf/templates/default/server/vhosts.php: SSLCACertificateFile "<?php echo $ipAddress->sslCertificate->caFilePath ?>"
  3. In case they do not:

  4. change customised path in string SSLCACertificateFile /usr/local/psa/var/certificates/cert-******
  5. to a default one SSLCACertificateFile <?php echo $sslCertificate->caFilePath ?>

  6. Reconfigure the website:

    # /usr/local/psa/admin/bin/httpdmng --reconfigure-domain example.com

Note: This is not recommended to modify default web server templates in /usr/local/psa/admin/conf/templates/default/ directory.

If some custom settings are necessary, check Changing Virtual Hosts Settings Using Configuration Templates article.

Have more questions? Submit a request
Please sign in to leave a comment.