If you have a web site with an SSL certificate then you are probably affected by the Heartbleed vulnerability which popped into general visibility. If your server is vulnerable, you need to do two things:
- Update openssl
- Replace your SSL certificate (since you have to assume that the certificate’s private key has been stolen).
Anyone in possession of your private key can a) impersonate your web site; and b) decrypt all past, present, and future traffic.
One little piece of the recovery is replacing the default certificate for your control panel. If you only have one server then clicking around in the control panel is OK. But if you have a lot of servers, that will quickly drive you bonkers.
Here is a shell script which will replace the default SSL certificate for Parallels Plesk Panel. The new certificate will be valid for 1095 days (three years). It will then use the new SSL certificate to secure the Plesk Panel itself.
#!/bin/bash -x # replace the default Plesk SSL cert and use the new cert to secure Plesk Panel itself # YourCountry = US or whatever 2-character ISO code # YourState = your state or province spelled out # YourEmailAddress = [email protected] if [ -d /etc/psa ] then cd /var/tmp openssl genrsa 2048 > privkey.pem openssl req -new -x509 -batch \ -subj "/C=YourCountry/ST=YourState/L=YourCity/O=YourCompany/CN=$(hostname)/emailAddress=YourEmailAddress" \ -key privkey.pem -out cert.pem -days 1095 /usr/local/psa/bin/certificate --create default-$(date +%Y-%m-%d) \ -admin -default -key-file privkey.pem \ -cert-file cert.pem cat cert.pem privkey.pem > /opt/psa/admin/conf/httpsd.pem service sw-cp-server restart rm privkey.pem cert.pem fi
I have tested this on Ubuntu 12.04LTS with Parallels Plesk Panel 11.5 and 11.0.
Hindrik says
Hi!
I replaced my web certificate for customers. But I didn’t replace the default certificate. Where do I have to paste this script. Never done it before.
Greets Hindrik
Art Zemon says
Hindrik,
If you just have a small number of servers, it is easy to log into Plesk as “admin” and click on Tools & Settings -> SSL Certificates -> Add Certificate. From that page, you can create a new self-signed certificate. Once you have created the new certificate, return to Tools & Settings -> SSL Certificates. On that page, you can make the new certificate the default and you can secure the Plesk Panel with the new certificate.
My shell script is helpful if you have to update the certificates on a lot of Plesk panels and do not want to do each manually.
— Art Z.