How to Generate a CSR and Install an SSL in Plesk

Pre-Flight Check

  • This article is specifically intended for generating a Certificate Signing Request and installing a standard SSL certificate on a Windows server running Plesk.
  • We’ll walk through ordering the SSL via Liquid Web’s Manage interface, but you can use the CSR you generate in Plesk to purchase an SSL from the vendor of your choice.
  • If your Windows server is running Plesk 12.5 or higher, you can check out our tutorial on Using Let’s Encrypt SSL Certificates with Plesk 12.5.

Step #1: Generate a Certificate Signing Request in Plesk

  1. Log into Plesk.
  2. Select Domains from the main menu and click on the domain name to access its settings page.
  3. Click on SSL Certificates to bring up the SSL certificate page:

    WinPleskSSL1

  4. Now click the blue Add SSL Certificate button:

    WinPleskSSL2

  5. Fill out the request form and then press the Request button:

    WinPleskSSL3

    While the fields are self-explanatory, pay special attention to these three required fields:

    • Certificate name: This is how the certificate will be displayed in Plesk. To make it easier to identify later, you’ll likely want to use the domain name.
    • Domain name: If you want your SSL certificate to cover the domain with and without the “www”, you must enter the “www” version here.
      • A certificate for www.yourdomainname.com will cover both yourdomainname.com and www.yourdomainname.com.
      • A certificate for yourdomainname.com will only apply to yourdomainname.com.
    • Email: Plesk will email the CSR and details to this address, although we will walk through retrieving the CSR directly from Plesk in the next step.
  6. Upon submitting the form, you’ll be redirected to the domain’s SSL Certificates page. Click on the certificate name (“Sample” in this example) to return to the certificates page, where you’ll be able to copy the CSR:

    WinPleskSSL4

  7. On the SSL Certificates page for the domain, scroll down to the section labeled CSR, and copy all the text contained in that field:

    WinPleskSSL5

    Important: Leave this window up, as you will return to it once you have ordered and obtained the certificate. You will paste the certificate into the Upload the certificate as text field just above the CSR section on this same page.

Step #2: Order the SSL Certificate in Manage

  1. In a new browser window or tab, log into your Liquid Web Manage dashboard.
  2. Click on the Create button near the top left of the page and select SSL Certificate:

    WinPleskSSL6

  3. On the Order an SSL Certificate page, paste the CSR you copied from Plesk into the Certificate Signing Request (CSR) field.

    WinPleskSSL7

    The CSR Details section will populate with the information you entered in Plesk.

    • Review the CSR details. If you need to correct any errors, go back to Step One and re-generate the CSR.
    • Select the length of time for which you’d like the certificate to be valid.
    • Select a Verification Method. Typically you will want to leave this set to “Automatic”.
    • Click the Purchase SSL Certificate button to order the certificate and have it charged to your card on file.

Step #3: Verify and Obtain your SSL Certificate

  1. Your SSL certificate is accessible from your Manage dashboard.
    • Click on Overview in the left menu of your Manage dashboard.
    • Click on SSL Certificates under the Services section.
    • Click the [ + ] button next to the domain name to expand the window.
    • Click the Dashboard button to access the SSL dashboard.
  2. If automatic verification was successful, you will see a green button next to Verified in the Status column. If automatic verification failed, follow the instructions for verifying the SSL via DNS record, HTML meta tag, or email at Installing an SSL Certificate.
  3. Once the certificate status is displayed as Verified, click the link labeled X509 Certificate to pop up a window containing the certificate. You will need to copy the contents of the certificate in that popup before returning to your Plesk browser window or tab.
    Important: Leave this window up, as you may need to return to it to copy and paste the Intermediate Bundle from this screen into the CA Certificate field in Plesk.

    WinPleskSSL8

Step #4: Install the SSL Certificate in Plesk

  1. Now return to the Plesk browser window or tab you left open in Step #1, and paste the certificate into the Upload the certificate as text field just above the CSR.

    If the CA certificate does not fill in automatically, you will need to copy the Intermediate Bundle from the Manage browser window or tab you left open in Step #3 into the CA certificate field.

    WinPleskSSL9

  2. Now click the Upload Certificate button to add the certificate.

Step #5: Configure the Domain to Use SSL

Now that the SSL certificate is uploaded, all that remains is to enable SSL support for the domain.

  1. In the Plesk menu, click on Websites & Domains.
  2. Click on the domain name.
  3. Click on Hosting Settings.
  4. Scroll down to the Security section, select the certificate to use and check the box next to SSL support.

    WinPleskSSL9

 

Is Your cPanel Server Protected Against CVE-2016-0800 (DROWN)?

Overview

A new flaw has been found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could theoretically exploit this vulnerability to bypass RSA encryption, even when connecting via a newer protocol version, if the server also supports the older SSLv2 standard.

Impact

As a result of several similar but unrelated vulnerabilities, including POODLE, most server administrators already have removed support for SSLv2 and other weak ciphers. For instance, cPanel removed SSLv2 support on core services by default beginning with version 11.44 in 2014.

Servers running older, End-of-Life operating systems may still support SSLv2.

Test: Does Your Server Support SSLv2?

To test whether your web server supports SSLv2, you can run this command from a terminal on a Linux or Mac OS X, substituting your domain name for the example below:

openssl s_client -connect www.yourdomainname.com:443 -ssl2

If the server is not vulnerable, the output of that command should include “ssl handshake failed” as seen in the example below. Note that your output will be different, but as long as you see ssl handshake failed somewhere in the output, you’re protected:

[root@host]# openssl s_client -connect www.yourdomainname.com:443 -ssl2
CONNECTED(00000003)
95090:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s2_pkt.c:427:

You can test SSLv2 support on other services by substituting the secure http port (443 in the command above), with the appropriate port for the service you’re testing (note that these are the default ports; if you’ve changed the port a service runs on, you’ll want to use that value):

  • WHM: 2087
  • cPanel: 2083
  • Secure SMTP (Exim): 465
  • Secure IMAP: 993
  • Secure POP3: 995
  • Secure Webmail: 2096
  • Secure WebDisk: 2078

If you’re using a different operating system or are otherwise unable to check the server directly, you also may visit a test site such as drownattack.com and enter your site’s URL into the test field.

If your server fails any of the tests listed above and you’re not able to update cPanel to the latest version, feel free to contact Heroic Support® for assistance.
 

How to Install Varnish on Fedora 21

Varnish is a proxy and cache, or HTTP accelerator, designed to improve performance for busy, dynamic web sites. By redirecting traffic to static pages whenever possible, varnish reduces the number of dynamic page calls, thus reducing load.

Pre-Flight Check
  • These instructions are intended specifically for installing the Varnish on Fedora 21.
  • I’ll be working from a Liquid Web Self Managed Fedora 21 server with HTTPD and PHP already installed, configured, and running, and I’ll be logged in as root.

Continue reading “How to Install Varnish on Fedora 21”

How to Install Varnish on Fedora 20

Varnish is a proxy and cache, or HTTP accelerator, designed to improve performance for busy, dynamic web sites. By redirecting traffic to static pages whenever possible, varnish reduces the number of dynamic page calls, thus reducing load.

Pre-Flight Check
  • These instructions are intended specifically for installing the Varnish on Fedora 20.
  • I’ll be working from a Liquid Web Self Managed Fedora 20 server with HTTPD and PHP already installed, configured, and running, and I’ll be logged in as root.

Continue reading “How to Install Varnish on Fedora 20”

How to Disable SSLv3 for Exim and Protect Your WHM/cPanel Server from POODLE

Your Guide to POODLE and WHM/cPanel
I. How to Disable SSLv3 for Apache and Protect Your WHM/cPanel Server from POODLE
II. How to Disable SSLv3 for Exim and Protect Your WHM/cPanel Server from POODLE

There’s a new POODLE in town, but unfortunately it’s not the kind of pooch you want around. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. It’s an exploit that, although not considered to be as serious as Heartbleed, is one that should still be protected against. For more information read the Google Blog.

Fortunately, protecting your WHM/cPanel server is easy. Just follow the steps below:

Continue reading “How to Disable SSLv3 for Exim and Protect Your WHM/cPanel Server from POODLE”

How to Install Varnish 4 on CentOS 7

Varnish is a proxy and cache, or HTTP accelerator, designed to improve performance for busy, dynamic web sites. By redirecting traffic to static pages whenever possible, varnish reduces the number of dynamic page calls, thus reducing load.

Pre-Flight Check
  • These instructions are intended specifically for installing the Varnish on CentOS 7.
  • I’ll be working from a Liquid Web Self Managed CentOS 7 server, and I’ll be logged in as root.

Continue reading “How to Install Varnish 4 on CentOS 7”

How to Disable SSLv3 for Apache and Protect Your WHM/cPanel Server from POODLE

Your Guide to POODLE and WHM/cPanel
I. How to Disable SSLv3 for Apache and Protect Your WHM/cPanel Server from POODLE
II. How to Disable SSLv3 for Exim and Protect Your WHM/cPanel Server from POODLE

There’s a new POODLE in town, but unfortunately it’s not the kind of pooch you want around. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. It’s an exploit that, although not considered to be as serious as Heartbleed, is one that should still be protected against. For more information read the Google Blog.

Fortunately, protecting your WHM/cPanel server is easy. Just follow the steps below:

Continue reading “How to Disable SSLv3 for Apache and Protect Your WHM/cPanel Server from POODLE”

How to Create a Self-Signed SSL Certificate on CentOS

An SSL certificate is an electronic ‘document’ that is used to bind together a public security key and a website’s identity information (such as name, location, etc.) by means of a digital signature. The ‘document’ is issued by a certificate provider such as GlobalSign, Verisign, GoDaddy, Comodo, Thawte, and others. For more information, visit the article: What is an SSL Certificate?

In this article we’re going to be covering how to create a self-signed SSL certificate and assign it to a domain in Apache. Self-signed SSL certificates add security to a domain for testing purposes, but are not verifiable by a third-party certificate provider. Thus, they can result in web browser warnings.

Pre-Flight Check
  • These instructions are intended for creating a self-signed SSL certificate and assigning it to a domain in Apache.
  • I’ll be working from a Liquid Web Core Managed CentOS 6.5 server, and I’ll be logged in as root.

Continue reading “How to Create a Self-Signed SSL Certificate on CentOS”

How to Create a Self-signed SSL Certificate on Ubuntu

An SSL certificate is an electronic ‘document’ that is used to bind together a public security key and a website’s identity information (such as name, location, etc.) by means of a digital signature. The ‘document’ is issued by a certificate provider such as GlobalSign, Verisign, GoDaddy, Comodo, Thawte, and others. For more information, visit the article: What is an SSL Certificate?

In most cases you’ll usually want to use a browser trusted SSL certificate, so a self-signed may not be what you need. In those cases you should buy an SSL from a provider, or get yourself setup with a LetsEncrypt SSL. However, there are times when you just need the SSL for the security provides your connection. In these cases you can generate a self-signed SSL to secure the connection, the only caveat being that you’ll have to accept an SSL warning when you load. Continue reading “How to Create a Self-signed SSL Certificate on Ubuntu”

Update and Patch OpenSSL on Ubuntu for the CCS Injection Vulnerability

What is OpenSSL?

OpenSSL is a common cryptographic library which provides encryption, specifically SSL/TLS, for popular applications such as Apache (web), MySQL (database), e-mail, virtual private networks (VPNs), and more.

What is “the CCS Injection Vulnerability”?

The ChangeCipherSpec (CCS) Injection Vulnerability is a moderately severe vulnerability in OpenSSL, known formally as “SSL/TLS MITM vulnerability (CVE-2014-0224)“. As of June 05, 2014, a security advisory was released by OpenSSL.org, along with versions of OpenSSL that fix this vulnerability.

What are the risks?

This vulnerability is likely not as severe as the Heartbleed Bug. In some circumstances, this flaw allows an attacker to conduct a man-in-the-middle attack on servers running vulnerable versions of OpenSSL. The attacker would be required to intercept and alter network traffic, and do so in real time, to exploit the flaw; in that case, the attacker could potentially view and/or modify the otherwise secured traffic.

What should you do?
  • Update OpenSSL and reboot your server immediately.
  • After the server has been rebooted, change all passwords associated with the server.
Pre-Flight Check
  • These instructions are intended for patching OpenSSL on Ubuntu 12.04 against the “SSL/TLS MITM vulnerability (CVE-2014-0224)“.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 12.04 server, and I’ll be logged in as root.

Continue reading “Update and Patch OpenSSL on Ubuntu for the CCS Injection Vulnerability”