Search

Language:  
Search for:

  • Article for your preferred language does not exist. Below is international version of the article.
Available article translations:

How do I set the SSL certificate for Plesk installed inside a Virtuozzo container?

APPLIES TO:
  • Parallels Plesk
  • Parallels Virtuozzo Containers

Resolution

NOTE: This article is for Virtuozzo 2.6x/3.x/4.x systems with Parallels Plesk Control Panel 7x./8.x/9.x Containers. PVA (versions 4.5 and higher) is not supported.

For details on Virtuozzo 3.x/2.6.x version, please follow this procedure.
For details on Virtuozzo 3.x/4.x version and Parallels Plesk Panel 7.x/8.x/9.x, please follow this procedure.
For details on Parallels Plesk Panel 10, please follow this procedure.

If Parallels Plesk Panel (Plesk) is installed inside a Parallels Virtuozzo Containers (Virtuozzo) container and offline management is turned on for that container, then all requests to Plesk Panel port 8443 are intercepted by a Virtuozzo Service Container. If you set your own SSL certificate for Plesk Panel with the "Secure Control Panel" option, this certificate will not be used. Instead, a default SSL certificate installed inside a Virtuozzo Service Container will be used.

If you want to set up a separate SSL certificate into a container with Plesk:


For Virtuozzo 3.x/2.6.x version you may use the following instructions:

Lets assume we have container #101 with IP address '192.168.1.1' and hostname 'plesk.example.com.'


1. Obtain the SSL certificate from container #101. It is accessible as a /vz/root/101/usr/local/psa/admin/conf/httpsd.pem file on a hardware node, split into separate files (192.168.1.1.crt and 192.168.1.1.key files), which contain certificate and private key parts respectively. Place these files into a Service Container in the /vz/root/1/etc/vzcp directory.

2. Add the following section to the end of the /vz/root/1/etc/vzcp/httpd.conf file for the Virtuozzo 3.x:

<VirtualHost 192.168.1.1:8443>
ServerName "plesk.example.com"
ProxyPreserveHost On

RequestHeader set X_VZCP_API_VERSION 30000
RequestHeader set X_VZCP_PROXY_MODE 1
RequestHeader set X_VZCP_PSA_PORT 8443
RequestHeader set X_VZCP_PSA_PROTO https
RequestHeader set X_VZCP_PSA_BASE_URL /vz/cp/psa/frameset
RequestHeader set X_VZCP_PSA_NOSERV_URL /vz/cp/psa/noservice
RequestHeader set X_VZCP_PSA_RESTORE_URL /vz/cp/psa/restore_session
RequestHeader set X_VZCP_PSA_PASSWD_URL /vz/cp/restore-password

SSLEngine on
RewriteEngine on
RewriteRule ^/?$ /vz/cp/psa/frameset [R]
RewriteRule ^/vz/cp/?$ /vz/cp/psa/frameset [R]
RewriteRule ^/login\.php3.*$ /vz/cp/psa/frameset [R]
RewriteRule ^/(vz|psa|favicon.ico) - [L]
RewriteRule ^(/.*)$ http://%{SERVER_ADDR}:8880$1 [P,QSA]

SSLCertificateFile "/etc/vzcp/192.168.1.1.crt"
SSLCertificateKeyFile "/etc/vzcp/192.168.1.1.key"

SetEnv VZCP_PORT 8443
SetEnv VZCP_MODE_PLESK yes
SetEnv VZCP_PSA_BASE_URL /vz/cp/psa/frameset

ErrorDocument 502 "/vz/cp/psa/noservice"
</VirtualHost>

If you need to use a CA Certificate, also add a SSLCACertificatePath directive and specify the path to the file that contains the CA Certificate.

NOTE: if you have Virtuozzo 2.6.2 installed, please change X_VZCP_API_VERSION to 20602 so that the corresponding line looks like this:

RequestHeader set X_VZCP_API_VERSION 20602

3. You may set the ServerName or check if it is possible to resolve the hostname by IP from inside a Service Container. You may add this line into /etc/hosts inside a Service Container if needed:

192.168.1.1 plesk.example.com

4. Restart the 'vzcp' service inside a Service Container:

# vzctl exec 1 service vzcp restart



For Virtuozzo 3.x and 4.x version and Plesk 7.x, 8.x and 9.x: Download the attached ssl_cert_vzplesk.pl.gz file (see attachments at the end of the article). Extract and run it on the Virtuozzo node. Follow these instructions:

# gunzip ssl_cert_vzplesk.pl.gz
# ./ssl_cert_vzplesk.pl -h

NOTE: the attached script is working correctly for Parallels Plesk Control Panel 7.x, 8.x, and 9.x.



For Virtuozzo 4.x version and Plesk 9.x, you may also use this manual procedure:

In this example, we assume that we have Virtuozzo Container #101 with the hostname 'plesk9.example.com' (where Plesk is installed) and IP addresses '10.0.0.1' and '10.0.0.2.'

1. First, it is necessary to obtain the SSL Certificate and Key for the Plesk Container #101. Then save them as files /etc/vzcp/plesk-$CTID.pem inside Service Container #1.

Example of the content:

[root@HW_NODE ~]# cat /vz/root/1/etc/vzcp/plesk-101.pem
-----BEGIN RSA PRIVATE KEY-----
...
key body here
...
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
...
certificate body here
...
-----END CERTIFICATE-----

2. iA /etc/vzcp/addon_httpd_conf/plesk9-ssl.conf file should be created inside the Service Container with content such as below:


# cat /vz/root/1/etc/vzcp/addon_httpd_conf/plesk9-ssl.conf
<VirtualHost 10.0.0.1:8443 10.0.0.2:8443>
  ServerName plesk9.example.com

# mod_proxy must  send Host: field from client request to backend as-is
# This header used by psa apache for calculate some significant varibles like
# server_name
  ProxyPreserveHost On

# when turn SSLEnginge OFF, remember correct redirect cookie:
# VZCP_PSA_PROTO:http

 RequestHeader set X_VZCP_PROXY_MODE 1
# take care about sync "API" and functionality in xsl code.
        RequestHeader set X_VZCP_API_VERSION    30000
  RequestHeader set X_VZCP_PSA_PORT 8443
  RequestHeader set X_VZCP_PSA_PROTO https
  RequestHeader set X_VZCP_PSA_BASE_URL    /vz/cp/panel/plesk/frameset
  RequestHeader set X_VZCP_PSA_NOSERV_URL  /vz/cp/panel/plesk/noservice
  RequestHeader set X_VZCP_PSA_RESTORE_URL /vz/cp/panel/plesk/restore_session
  RequestHeader set X_VZCP_PSA_PASSWD_URL  /vz/cp/restore-password

 SSLEngine on
  SSLCertificateFile "/etc/vzcp/plesk-101.pem"
  SSLCertificateKeyFile "/etc/vzcp/plesk-101.pem"

 RewriteEngine on
  RewriteRule ^/?$ /vz/cp/panel/plesk/frameset [R]
  RewriteRule ^/vz/cp/?$ /vz/cp/panel/plesk/frameset [R]
  # For correct SSO work the next rule must be replaced by:
  # RewriteCond %{QUERY_STRING}  ^previous_page=login_up
  # RewriteRule ^/index\.php /vz/cp/panel/plesk/frameset [R]
  RewriteRule ^/login\.php3.*$ /vz/cp/panel/plesk/frameset [R]
  RewriteRule ^/(vz|psa|favicon.ico) - [L]
  RewriteRule ^(/.*)$
http://%{SERVER_ADDR}:8880$1 [P,QSA]

 SetEnv VZCP_PORT 8443
  SetEnv VZCP_MODE_PLESK yes
  SetEnv VZCP_PSA_BASE_URL /vz/cp/panel/plesk/frameset

 ErrorDocument 502 /vz/cp/panel/plesk/noservice
</VirtualHost>


3. The config file 'plesk9-ssl.conf' should be included in /vz/root/1/etc/vzcp/httpd.conf with the following line after including 'plesk.conf':

  Include /etc/vzcp/addon_httpd_conf/plesk9-ssl.conf

4. Restart the Virtuozzo Control Panel service in order to apply changes:

# vzctl exec2 1 service vzcp restart






Power Panel does not work with Plesk 10.x.  
 
This part of Offline Management must be disabled as stated in the Plesk Deployment Guide.



Attachments:


909d99074e442b52ce54cc7b31cf065d c81e59b61af9dca603ba03b14aabe968 56797cefb1efc9130f7c48a7d1db0f0c 2897d76d56d2010f4e3a28f864d69223

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 9 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification