SymptomsSSL certificates for certain domains are no longer trusted. In fact, any SSL certificate installed in Parallels Plesk Panel (PP) 11 with more than a single chain certificate on it is unable to load properly. The only way to fix this is to switch back to Apache using the "/usr/local/psa/admin/bin/nginxmng --disable" command.
CauseApache has an "SSLVerifyDepth" parameter with a default value of ten (10), which means that it will look for ten (10) CA (Chain) certificates. Nginx has a similar parameter, "ssl_verify_depth," but with a default value of one (1). Since Nginx is the front-end web server and it is set to one (1), it is not grabbing the additional CA certificates, thus causing a conflict with some browsers.
ResolutionThe issue has been fixed since version 11 MU#10; however, it may still affect certificates that were generated before the needed update was installed. In order to fix such certificates, run the following commands:
# wget http://kb.sp.parallels.com/Attachments/22393/Attachments/reload_ssl_certificate.zip
# unzip reload_ssl_certificate.zip
# php reload_ssl_certificate.php
The commands download an archived PHP script, unzip, and launch it.