I've just discovered that with the T-WAF enabled for Plesk, attempting to set/modify an SSL certificate via admin->SSL Certificates fails with a "Forbidden - access denied for /plesk/certificate[*]/"
Basically, although it is possible to create a new certificate (Private key & CSR), it is then not possible to upload or paste the actual certificate and CA for it.
Disabling the T-WAF in the ASL gui, waiting 60 seconds or so for it to get really disabled (you'll have to login to Plesk again) resolves the problem - it is then possible to upload or paste the certificate and CA again.
I'm not seeing any errors in the GUI log (even down to level 2), nor in the Plesk admin error log.
NOTE: If, like me, you have also disabled Filemanager (/usr/local/psa/admin/[s]bin/filemngr) you will also have to re-enable it - it seems as though it gets used for actual admin stuff as well as for customer file management.
I've duplicated this issue on two systems, so it isn't a one off. Both are Plesk 10.4.4 MU40 with Centos 6 64-bit and asl-waf-module-3.0.32-1.el6.art.x86_64 and asl-3.0.32-1.el6.art.x86_64
Can someone else who has the T-WAF enabled please have a go to confirm my findings? You just need to create a bogus certificate (e.g. www.test.tld
) in the admin panel, then try to upload any old certificate and CA for it. It should fail with a Forbidden message.
I have NOT tested to see if the same issue applies to uploading certificates/CAs for individual domains (i.e. subscription/domain->control panel->ssl sertificate)