“Updates and Upgrades”-Tool (8447) doesn’t work with ECDHE-ECDSA certificate
I changed certificate that secures Plesk. The new certificate is an ECDHE-ECDSA certificate, the default Plesk certificate is an RSA certificate. I’ve noticed that parallelsinstaller is not reachable on port 8447 (after clicking on “Updates and Upgrades” in “Tools & Settings”), in combination with the new ECDHE-ECDSA certificate. parallelsinstaller is started, listen on port 8447, doesn’t write any error to any log file and everything seems to be ok. But the web browsers say “ERRSSLVERSIONORCIPHERMISMATCH” (Vivaldi/Chrome) and “SSLERRORNOCYPHEROVERLAP” (Firefox). No cipher is accepted, I’ve tested all available from OpenSSL. After I killed all parallelsinstaller instances, switched certificate back to Plesk’s default certificate, the following ciphers are accepted: AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, CAMELLIA256-SHA, DES-CBC3-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, CAMELLIA128-SHA.
The Plesk administration GUI, available on port 8443, works fine with my ECDHE-ECDSA certificate.
My system: Ubuntu 14.04 x86-64, Plesk 12.5.30 Update #41
I think this is a bug in parallels_installer. I did not found a bug reporting system for Plesk 12, therefor I reported it here.
Martin
shared this idea
We’ve released Let’s Encrypt Extension 2.7.2: https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt
Changelog:
2.7.2 (17 January 2019)
[*] In Plesk for Linux 17.8 and later, the extension now supports issuing ECDSA certificates. To have the extension issue certificates signed with ECDSA, add the following lines to the panel.ini file:
[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted
—
IG