Resolution

NOTE: This article is for Virtuozzo 2.6x/3.x/4.x systems with Parallels Plesk Control Panel 7x./8.x/9.x Containers.

For the details on  Virtuozzo 3.x/2.6.x version please follow this procedure.
For the details on  Virtuozzo 3.x/4.x version and Plesk 7.x/8.x/9.x please follow this procedure.

If Parallels Plesk Panel (hereafter Plesk) is installed inside a Parallels Virtuozzo Containers (hereafter Virtuozzo) container and offline management is turned on for that container then all requests to Plesk Panel port 8443 are being intercepted by a Virtuozzo Service Container. So that if you set your own SSL certificate for Plesk Panel with "Secure Control Panel" option, this certificate will not be used but a default SSL certificate installed inside a Virtuozzo Service Container will be used.

If you want to set up a separate SSL certificate into a container with Plesk:


For Virtuozzo 3.x/2.6.x version you may use the following instructions:

Let assume we have the container #101 with IP address '192.168.1.1' and hostname "plesk.example.com".

1. Take SSL certificate from the container #101, it is accessible as /vz/root/101/usr/local/psa/admin/conf/httpsd.pem file on a hardware node and split it to separate files 192.168.1.1.crt and 192.168.1.1.key files which contain certificate and private key parts accordingly. Place these files into a Service Container in /vz/root/1/etc/vzcp directory.

2. Add the following section in the end of /vz/root/1/etc/vzcp/httpd.conf file for the Virtuozzo 3.x:

<VirtualHost 192.168.1.1:8443>
ServerName "plesk.example.com"
ProxyPreserveHost On

RequestHeader set X_VZCP_API_VERSION 30000
RequestHeader set X_VZCP_PROXY_MODE 1
RequestHeader set X_VZCP_PSA_PORT 8443
RequestHeader set X_VZCP_PSA_PROTO https
RequestHeader set X_VZCP_PSA_BASE_URL /vz/cp/psa/frameset
RequestHeader set X_VZCP_PSA_NOSERV_URL /vz/cp/psa/noservice
RequestHeader set X_VZCP_PSA_RESTORE_URL /vz/cp/psa/restore_session
RequestHeader set X_VZCP_PSA_PASSWD_URL /vz/cp/restore-password

SSLEngine on
RewriteEngine on
RewriteRule ^/?$ /vz/cp/psa/frameset [R]
RewriteRule ^/vz/cp/?$ /vz/cp/psa/frameset [R]
RewriteRule ^/login\.php3.*$ /vz/cp/psa/frameset [R]
RewriteRule ^/(vz|psa|favicon.ico) - [L]
RewriteRule ^(/.*)$ http://%{SERVER_ADDR}:8880$1 [P,QSA]

SSLCertificateFile "/etc/vzcp/192.168.1.1.crt"
SSLCertificateKeyFile "/etc/vzcp/192.168.1.1.key"

SetEnv VZCP_PORT 8443
SetEnv VZCP_MODE_PLESK yes
SetEnv VZCP_PSA_BASE_URL /vz/cp/psa/frameset

ErrorDocument 502 "/vz/cp/psa/noservice"
</VirtualHost>

If you need to use CA Certificate, also add SSLCACertificatePath directive and specify the path to the file that contains CA Certificate.

NOTE: if you have Virtuozzo 2.6.2 installed please change X_VZCP_API_VERSION to 20602 so that the corresponding line looks like this:

RequestHeader set X_VZCP_API_VERSION 20602

3. You may set the ServerName or check that it is possible to resolve hostname by IP from inside a Service Container. You may add this line into /etc/hosts inside a Service Container if needed:

192.168.1.1 plesk.example.com

4. Restart the 'vzcp' service inside a Service Container:

For Virtuozzo 3.x and 4.x version and Plesk 7.x, 8.x and 9.x: please download attached ssl_cert_vzplesk.pl.gz file (see attachments in the bottom of article), extract and run it on Virtuozzo node and follow its instructions:


NOTE: the attached script is working correctly for Parallels Plesk Control Panel 7.x, 8.x, and 9.x.



For Virtuozzo 4.x version and Plesk 9.x you may also use this manual procedure:

In this example we assume that we have Virtuozzo Container #101 with hostname "plesk9.example.com" (where Plesk is installed), and with IP addresses "10.0.0.1" and "10.0.0.2".

1. It is necessary to obtain first SSL Certificate and Key for the Plesk Container #101, then please save them as file /etc/vzcp/plesk-$CTID.pem inside Service Container #1.

Example of its content:

[root@HW_NODE ~]# cat /vz/root/1/etc/vzcp/plesk-101.pem
-----BEGIN RSA PRIVATE KEY-----
...
key body here
...
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
...
certificate body here
...
-----END CERTIFICATE-----

2. /etc/vzcp/addon_httpd_conf/plesk9-ssl.conf file should be created inside Service Container with content like:

# cat /vz/root/1/etc/vzcp/addon_httpd_conf/plesk9-ssl.conf
<VirtualHost 10.0.0.1:8443 10.0.0.2:8443>
  ServerName plesk9.example.com

# mod_proxy must  send Host: field from client request to backend as-is
# This header used by psa apache for calculate some significant varibles like
# server_name
  ProxyPreserveHost On

# when turn SSLEnginge OFF, remember correct redirect cookie:
# VZCP_PSA_PROTO:http

 RequestHeader set X_VZCP_PROXY_MODE 1
# take care about sync "API" and functionality in xsl code.
        RequestHeader set X_VZCP_API_VERSION    30000
  RequestHeader set X_VZCP_PSA_PORT 8443
  RequestHeader set X_VZCP_PSA_PROTO https
  RequestHeader set X_VZCP_PSA_BASE_URL    /vz/cp/panel/plesk/frameset
  RequestHeader set X_VZCP_PSA_NOSERV_URL  /vz/cp/panel/plesk/noservice
  RequestHeader set X_VZCP_PSA_RESTORE_URL /vz/cp/panel/plesk/restore_session
  RequestHeader set X_VZCP_PSA_PASSWD_URL  /vz/cp/restore-password

 SSLEngine on
  SSLCertificateFile "/etc/vzcp/plesk-101.pem"
  SSLCertificateKeyFile "/etc/vzcp/plesk-101.pem"

 RewriteEngine on
  RewriteRule ^/?$ /vz/cp/panel/plesk/frameset [R]
  RewriteRule ^/vz/cp/?$ /vz/cp/panel/plesk/frameset [R]
  # For correct SSO work the next rule must be replaced by:
  # RewriteCond %{QUERY_STRING}  ^previous_page=login_up
  # RewriteRule ^/index\.php /vz/cp/panel/plesk/frameset [R]
  RewriteRule ^/login\.php3.*$ /vz/cp/panel/plesk/frameset [R]
  RewriteRule ^/(vz|psa|favicon.ico) - [L]
  RewriteRule ^(/.*)$ http://%{SERVER_ADDR}:8880$1 [P,QSA]

 SetEnv VZCP_PORT 8443
  SetEnv VZCP_MODE_PLESK yes
  SetEnv VZCP_PSA_BASE_URL /vz/cp/panel/plesk/frameset

 ErrorDocument 502 /vz/cp/panel/plesk/noservice
</VirtualHost>

3. This config file 'plesk9-ssl.conf' should be included in /vz/root/1/etc/vzcp/httpd.conf by the following line after including 'plesk.conf':

  Include /etc/vzcp/addon_httpd_conf/plesk9-ssl.conf

4. Restart Virtuozzo Control Panel service in order to apply changes: