Add to Favourites Add to Favourites    Print this Article Print this Article

How to install custom SSL certificate on SSO server ?

Symptoms:
SSO server sso.server is registered in Parallels Plesk Panel 9 and SSO mode enabled.
You may check this with Plesk utility sso:

~# /usr/local/psa/bin/sso --get-prefs
SSO on
sso server url: https://sso.server:11443
sso relay url: https://sso.server:11444
~#

A valid SSL certificate issued by trusted certificate authority is installed in Parallels Plesk Panel.
However the following error is shown on Paralels Plesk Panel login page:

Secure Connection Failed

sso.server:11444 uses an invalid security certificate.

The certificate is not trusted because it is self signed.

(Error code: sec_error_ca_cert_invalid) Or you can add an exception…

Why?

Cause:
Because Parallels Plesk Panel works in SSO mode login page http://plesk.host.name:8443 is redirected to SSO server and page http://sso.server:11444 is opened. First SSL certificate installed on SSO server is loaded and then SSL certificate installed in Parallels Plesk Panel. By default a self-signed SSL certificate is installed in SSO server.

Even valid SSL certificate is installed in Parallels Plesk Panel a self-signed SSL certificate will be opened first.

Using instructions below you may install a valid SSL certificate to SSO server.

Resolution:
SSL certificate that is used by SSO server is located in directory /etc/sso:

~# ls -l /etc/sso
total 16
-rw------- 1 sso root 2198 Feb 20 13:23 sso-ca.pem
-rw-r--r-- 1 root root 774 Nov 11 14:04 sso_config.ini
-rw------- 1 sso root 2198 Feb 20 13:19 sso.pem
-rw------- 1 sso root 1155 Feb 20 13:16 sso-public.pem
~#

Before replacement backup old SSL certificates just in case:

~# cp -rp /etc/sso /etc/sso.old

Save domain SSL certificate to file CRT.pem, Certificate Authority (CA) certificate to CA.pem and Private Key to KEY.pem:

CRT.pem
-----BEGIN CERTIFICATE-----
<===CERTIFICATE HERE===>
-----END CERTIFICATE-----

KEY.pem
-----BEGIN RSA PRIVATE KEY-----
<===PRIVATE KEY HERE===>
-----END RSA PRIVATE KEY-----

CA.pem
-----BEGIN CERTIFICATE-----
<===CA CERTIFICATE HERE===>
-----END CERTIFICATE-----

Before installing it is recommended to verify that Private Key matches domain SSL certificate. That means that Private Key was generated with Certificate Signed Request (CSR) that was used by Certificate Authority to generate domain SSL certificate CRT.pem.

Note that if SSL certificate was installed with different Private Key then it is invalid.

To get md5 for Private Key:

~# openssl rsa -noout -modulus -in KEY.pem | openssl md5
1ef3c35a4baabdff594f78831dc882c4
~#

and for SSL certificate:

~# openssl x509 -noout -modulus -in CRT.pem | openssl md5
1ef3c35a4baabdff594f78831dc882c4
~#

If similar md5 is outputted then Private Key and SSL certificate match each other.

To verify CA certificate matches domain SSL certificate:

~# openssl verify -verbose -CAfile CA.pem CRT.pem
CRT.pem: OK
~#

Copy text from CRT.pem, CA.pem and KEY.pem to certificate files:

sso-ca.pem
-----BEGIN RSA PRIVATE KEY-----
<===PRIVATE KEY HERE===>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<===CA CERTIFICATE HERE===>
-----END CERTIFICATE-----

sso.pem
-----BEGIN RSA PRIVATE KEY-----
<===PRIVATE KEY HERE===>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<===CERTIFICATE HERE===>
-----END CERTIFICATE-----

sso-public.pem
-----BEGIN CERTIFICATE-----
<===CERTIFICATE HERE===>
-----END CERTIFICATE-----

NOTE: Some Certificate Authorities do not need CA certificate.
In this case you may copy file sso.pem to sso-ca.pem.

Verify and correct permissions. You may do that with commands chown and chmod:

~# chown sso:root /etc/sso/sso*.pem
~# chmod 400 /etc/sso/sso*.pem

After replacement sw-cp-server should be restarted:

~# /etc/init.d/sw-cp-server restart
Restarting SWsoft control panels server... stale pidfile. [ OK ]
~#

With the following command you may verify that new SSL certificate is used by SSO server:

~# openssl s_client -connect sso.server:11444
Was this answer helpful?

Also Read