Symptoms
A website cannot be opened in a browser - it gets redirected from HTTP to HTTPS and fails to load.
Cause
Redirection rules are set in a webserver configuration file or the code in the index file is calling itself with HTTPS.
Or
It could be a subdomain created for a branded domain after an upgrade to Parallels Operations Automation (POA) 5.5.
The "Strict-Transport-Security" header was added to branding_htaccess.tmpl in the scope of MITM vulnerability improvement in POA 5.5
You can check this under the webspace of the brand:
# grep includeSubDomains /usr/local/pem/vhosts/100002/webspace/httpsdocs/.branding_htaccess
header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
"Strict-Transport-Security" is an additional security enhancement that forces browsers to redirect all HTTP requests to HTTPS, including subdomains when "includeSubDomains" is defined.
This can also affect a Sitebuilder if the access URL is a subdomain of the brand:
http://sitebuilder.brandeddomain.com gets redirected to https://sitebuilder.brandeddomain.com
As a result, customers cannot access their sites through the Customer Control Panel > "Edit in Parallels Plesk Sitebuilder", as HTTPS access is not configured for Sitebuilder sites.
- In some cases, you can reproduce the issue by opening
https://brandeddomain.comin a browser at least once (otherwise redirection will not occur for subdomains).
This issue is confirmed as a software-related issue with the ID POA-82508
Resolution
Correct the redirection in the webserver configuration files or the code of the file accessed by the website.
For subdomains of a branded domain: Issue #POA-82508 has been fixed in POA 5.5 update 6