Article ID: 6138, created on Mar 13, 2009, last review on Mar 16, 2015

  • Applies to:
  • Plesk 9.x for Linux/Unix

Symptoms

SSO server (sso.server) is registered in Parallels Plesk Panel (PP) 9 and SSO mode is enabled.
You may check this with the PP utility sso:

~# /usr/local/psa/bin/sso --get-prefs
SSO on
sso server url: https://sso.server:11443
sso relay url: https://sso.server:11444
~#

A valid SSL certificate issued by a trusted certificate authority is installed in Parallels Plesk Panel.
However, the following error is shown on the Paralels Plesk Panel login page:

Secure Connection Failed

sso.server:11444 uses an invalid security certificate.

The certificate is not trusted because it is self signed.

(Error code: sec_error_ca_cert_invalid)

    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

Or you can add an exception…


Why is this?

Cause

Because Parallels Plesk Panel is in SSO mode, the login page (http://plesk.host.name:8443) is redirected to the SSO server, and http://sso.server:11444 is opened instead. The first SSL certificate installed on the SSO server is loaded, and then the SSL certificate installed in Parallels Plesk Panel is loaded. By default, a self-signed SSL certificate is installed on the SSO server.

Even if a valid SSL certificate is installed in Parallels Plesk Panel, a self-signed SSL certificate will be opened first.

Using the instructions below, you may install a valid SSL certificate to the SSO server.

Resolution

The SSL certificate that is used by the SSO server is located in the directory /etc/sso:

~# ls -l /etc/sso
total 16
-rw------- 1 sso  root 2198 Feb 20 13:23 sso-ca.pem
-rw-r--r-- 1 root root  774 Nov 11 14:04 sso_config.ini
-rw------- 1 sso  root 2198 Feb 20 13:19 sso.pem
-rw------- 1 sso  root 1155 Feb 20 13:16 sso-public.pem
~#

Before replacement, back up the old SSL certificates, just in case:

~# cp -rp /etc/sso /etc/sso.old

Save the domain SSL certificate to the file CRT.pem; save the Certificate Authority (CA) certificate to CA.pem; and save the Private Key to KEY.pem:

CRT.pem
-----BEGIN CERTIFICATE-----
   <===CERTIFICATE HERE===>
-----END CERTIFICATE-----


KEY.pem
-----BEGIN RSA PRIVATE KEY-----
   <===PRIVATE KEY HERE===>
-----END RSA PRIVATE KEY-----


CA.pem
-----BEGIN CERTIFICATE-----
 <===CA CERTIFICATE HERE===>
-----END CERTIFICATE-----


Before installation, it is recommended that you verify that the Private Key matches the domain SSL certificate. This means that the Private Key was generated with the Certificate Signed Request (CSR) that was used by the Certificate Authority to generate the domain SSL certificate, CRT.pem.

Note that if the SSL certificate was installed with a different Private Key, then it is invalid.

To get the md5 for the Private Key:

~# openssl rsa -noout -modulus -in KEY.pem | openssl md5
1ef3c35a4baabdff594f78831dc882c4
~#

 ... and for the SSL certificate:

~# openssl x509 -noout -modulus -in CRT.pem | openssl md5
1ef3c35a4baabdff594f78831dc882c4
~#

If a similar md5 is outputted, then the Private Key and SSL certificate match each other.

To verify that the CA certificate matches the domain SSL certificate:

~# openssl verify -verbose -CAfile CA.pem CRT.pem
CRT.pem: OK
~#

Copy the text from CRT.pem, CA.pem, and KEY.pem to the certificate files:

sso-ca.pem
-----BEGIN RSA PRIVATE KEY-----
   <===PRIVATE KEY HERE===>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 <===CA CERTIFICATE HERE===>
-----END CERTIFICATE-----


sso.pem
-----BEGIN RSA PRIVATE KEY-----
   <===PRIVATE KEY HERE===>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
   <===CERTIFICATE HERE===>
-----END CERTIFICATE-----


sso-public.pem
-----BEGIN CERTIFICATE-----
   <===CERTIFICATE HERE===>
-----END CERTIFICATE-----


NOTE: Some Certificate Authorities do not need the CA certificate.
In this case, you may copy the file sso.pem to sso-ca.pem.

Verify and correct permissions. You may do this with the commands chown and chmod:

~# chown sso:root /etc/sso/sso*.pem
~# chmod 400 /etc/sso/sso*.pem


After replacement, sw-cp-server should be restarted:

~# /etc/init.d/sw-cp-server restart
Restarting SWsoft control panels server... stale pidfile.  [  OK  ]
~#

With the following command, you may verify that the new SSL certificate is used by the SSO server:

~# openssl s_client -connect sso.server:11444

Additional Information

How to generate self-sign SSL certificate for SSO server manually

Changing an SSL Certificate for SSO Service

6ef0db7f1685482449634a455d77d3f4 a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 56797cefb1efc9130f7c48a7d1db0f0c

Email subscription for changes to this article
Save as PDF