From Just another day in the life of a linux sysadmin
Jump to navigation Jump to search

One of the most important things to keep in mind when working on an account that uses the Plesk control panel is that Plesk is (essentially) a single, giant database. This means that while some command-line activity is ok, some activities - such as DNS edits and updates to the form or function of a domain - can only be performed from within the control panel environment; failure to observe this process will likely cause the server to behave erratically (in rare cases) or suffer catastrophic failure (much more likely to happen).

Please be careful when beginning to work on a Plesk on Linux server. You should always be checking this account when entering SSH, and it is strongly encouraged to make this a habit just like checking 'who' when you first login:

  cat /usr/local/psa/version


  plesk -v


  plesk version

Due to the amount of customization that a user can place on a Plesk control panel, it is not uncommon to see a Plesk 9, Plesk 10, and Plesk 11 installation look very similar to an inexperienced or new technician. So please, save yourself (and SysRes) the time and headache: check your version and add that information to your phone log/ ticket note/ admin note for the account.


Restart Plesk via Command Line

Restart via CLI

If CentOS 7:

  systemctl restart psa.service

If CentOS 6

  service psa restart

If CentOS 5

/etc/init.d/psa restart

Plesk Key

Checking Plesk Key

grep 'key-number' /etc/sw/keys/keys/key*

Plesk Passwords

To find the passwords for the Plesk panel

cat /etc/psa/.psa.shadow

Displays the Plesk password unhashed (does not work on Plesk Onyx)

# /usr/local/psa/bin/admin --show-password

Reset Plesk password for the admin account

# /usr/local/psa/bin/init_conf -u -passwd <new_password>

Admin login link

In new versions of Plesk (Onyx and up), the 'show password' functionality has been removed. Instead, Plesk will provide you with a one-time login link that you can provide to the customer (Please do not test the link, as it is one-time-use!).

You can retrieve the link by doing the following:

  plesk login $username

This will show something like:

However, should you attempt the old method, Plesk will helpfully point out the error of your ways:

  [root@plesk ~]#  /usr/local/psa/bin/admin --show-password
  Due to security reasons the option '-show-password' is no longer supported. Use '--get-login-link' to generate a one-time login link.

User Password Compromised

If an SSH password for a Plesk domain needs to be changed, do it in:

 Domains (or Websites & Domains) > > Web Hosting Access

Plesk accounts can have subaccounts with SSH access called Web Users. If a Web User password needs to be changed, do it here:

 Domains (or Websites & Domains) > > Web users (under Show Advanced Options)

Plesk File Locations

Here are the locations of the main Plesk files:

Main Apache Conf


The main configuration file containing paths to utilities, services and packages used by Panel:


The initialization script for opening and closing services during server startup and shutdown procedures:


Panel database:


Backup files:


Parallels also has a knowledge base article available with LOTS of locations for log and config files, as well as how to stop/start various services often running on Plesk:

There are also a few printable posters that show locations of logs, config files, etc.

Plesk Logs

Log file information and locations located here:

Plesk Document root Structure

This is the basic document structure for Plesk

 /anon_ftp			Anonymous FTP files
 /cgi-bin			CGI SCRIPTS
 /conf				Configuration Files
 /error_docs			Error Message Files
 /etc				Chroot Environ
 /httpdocs			HTTP Documents
 /pd				Passwords for .htpasswd/Other Passwords
 /private			Private File Storage For the User
 /anon_ftpstat		        Stats on Anonymous FTP Usage
 /ftpstat		        Stats on Regular FTP Usage
 /logs			        VHOST logs
 /webstat	                HTTP stats
 /webstat-ssl                    HTTPS stats
 /usr				Chroot Environment	
 /web_users			Users For this area
 /subdomains			Directory For Subdomains

Plesk Mail

On Linux mailboxes are stored in directory specified in value to parameter PLESK_MAILNAMES_D in configuration file /etc/psa/psa.conf. By default the path is /var/qmail/mailnames (for both Qmail and Postfix). To change location of mailboxes, follow instructions provided in KB article #6312.

Qmail (deprecated)

Qmail has been deprecated, so you will likely only see this on older, end-of-life installations.

Please outline to any Qmail users the benefits of upgrading Plesk! If you're in a rush, the log is located here:


Run this to verify what mail handler you're using:

 /usr/local/psa/admin/sbin/mailmng --features |grep SMTP_Server

There is a lot of very specific information available in the Qmail wiki.


Postfix is a full-featured MTA for Plesk - we do not support it on any other platform.

There is a large amount of information that can be found in the: Postfix wiki.

Run this to verify Postfix is running:

 /usr/local/psa/admin/sbin/mailmng --features |grep SMTP_Server

If you need to review the mail log files, the newer versions of Plesk have it here:


And the older servers may still have it here:


You can check the Plesk logfile wiki for more full paths and locations:

 Plesk logfile wiki

Looking for Outgoing Spam

The php_maillog should be enabled on all our Plesk on linux servers now, so you can first check that here:


Here is a one-liner (provided by afortman) that should help in grabbing you the helpful information:

 egrep -o "\/var\/www\/vhosts[^:]*" /var/log/php_maillog|sort|uniq -c|sort -rnk1|head

Checking for most email from authenticated users:

egrep sasl_username /usr/local/psa/var/log/maillog |awk '{print $9}'|sort |uniq -c|sort -n|tail -n5

More information about looking for spam is in the Postfix wiki (Coming Soon)

Mail Restore/Migrate

Tips & Tricks for migrating restoring plesk can be found here: Plesk_to_cPanel_Migrations#Email


Apache Configuration

Domain vhosts

One of the first things that you will likely notice when trying to troubleshoot Apache on Plesk, is that it does not structure it's domain configurations/vhosts like cPanel/EA3 does. Plesk's /etc/httpd/conf/httpd.conf is what you would expect to see on a core-managed server. The domain vhosts are located in the following configuration file:


In older versions of Plesk, the files were located under /var/www/vhosts/$DOMAIN.TLD/

If one were to ls -lah this directory, one would see something similar to the following:

  -rw------- 1 root apache  6.7K Jan 30 17:50 httpd.conf
  -rw------- 1 root apache  6.7K Jan 30 17:50 httpd.conf.bak
  lrwxrwxrwx 1 root root      10 Jan 30 17:50 last_httpd.conf -> httpd.conf
  lrwxrwxrwx 1 root root      10 Jan 30 17:50 last_nginx.conf -> nginx.conf
  -rw------- 1 root nginx   3.8K Jan 30 17:50 nginx.conf
  -rw------- 1 root nginx   3.8K Jan 30 17:50 nginx.conf.bak
  drwxr-xr-x 2 root root    4.0K Jan 30 17:50 siteapp.d
  -rw-r--r-- 1 root root       2 Feb  3 03:26 stat_ttl.conf

These local configuration files are similar to cPanel's main httpd.conf, as they are automatically generated, and should not be edited manually. They are called from the following file:


If for any reason you find that these files have been corrupted, or were not removed after a domain/webspace was, and Apache will no longer start, you can run the following:

  /usr/local/psa/admin/bin/httpdmng --reconfigure-all

This is very similar to the cPanel /scripts/rebuildhttpdconf script.

Apache's MPM

Plesk 12 made it easier to change the MPM, but unfortunately Worker is no longer available.

You can check the currentl MPM with:

 httpd -V | grep -i mpm

This can be also be checked and updated through Plesk, in Tools & Settings > in the Apache Web Server

Configuring Apache status

Validating (Working on getting this updated)

Some servers do not allow you to view Apache's status by default. There are some changes you may need to make. First you may need to install the links package or something similar.

[root@host ~]# /etc/init.d/httpd fullstatus
The 'links' package is required for this functionality.

Simply install links or if that is not available, elinks should work as well.

yum install links

From here you may receive a 404 error.

[root@host ~]# /etc/init.d/httpd fullstatus
                                   Not Found

   The requested URL /server-status was not found on this server.


    Apache Server at localhost Port 80

This just means you need to uncomment the /server-status location in Apache's configuration file. Don't forget to back up that file first.

cp -a /etc/httpd/conf/httpd.conf{,.lwbak}

Then find and uncomment the following code in that file.

<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from

Change to ::1 localhost or you will probably receive a 403 Forbidden Error.

<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from ::1 localhost

As always make sure you restart Apache so your changes take effect.

/etc/init.d/httpd restart

And you should be good to go. If you don't see that code in httpd.conf, I (CKelley) usually add it to an include file inside of /etc/httpd/conf.d/. I usually call the file status.conf. I believe this primarily affects Plesk 12. Also in these examples, make sure that ExtendedStatus is set to On. If it isn't you will only see the scoreboard and other information for the individual Apache processes along with information for FCGI, but you won't actually see the connections being made within Apache and you will see the following message inside an Apache fullstatus.

To obtain a full report with current status information you need to use the ExtendedStatus On directive.

CentOS 7

This too needs to be updated

Because of systemd, there is no longer an init script we can use for Apache so we have to use apachectl to view fullstatus.

apachectl fullstatus

You may still need to install the links package and set up the server-status location as listed above.

Distilling Changes to the httpd.conf

Sometimes you just need to reconfigure the Apache conf

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Apache version

The Apache version is tied directly to the CentOS version, and can not just be upgraded.

Plesk does not support Apache 2.4 on CentOS 6. ( ) If the customer needs Apache 2.4 they will need to migrate to a CentOS 7 server, then migrate their data to it.


  1. This section is in progress:

mod_status is an Apache module that outputs current server status, along with requests currently being processed. It is installed and set up by default on cPanel boxes, but not on Plesk.

Enabling it on Plesk is pretty simple. It's likely already installed, just not enabled. You can enable it by creating this file:

In Onyx: /etc/httpd/conf.d/status.conf

Edit: This was listed previously. Leaving just in case. /etc/httpd/conf.modules.d/status.conf

<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost ip6-localhost
ExtendedStatus On

and restarting Apache.


 All relevant PHP information has been relocated for your sanity.


MySQL functions in a nearly identical capacity on a Plesk server as it does on a cPanel server, but there are indeed a few differences. For the sake of simplicity, all Plesk-related MySQL information can be found here:

 Plesk on Linux - MySQL


FTP is served by xinetd, but depends on the /etc/proftpd.conf file for configuration options. For instance, if you wanted to allow root FTP login to your Plesk machine, you would need to take a good look at yourself in the mirror and then decide not to do it.

Plesk Backups

Plesk handles backups almost entirely from the control panel. While you can certainly access some or all of the information from the command-line, it is highly recommended to perform all needed actions from the GUI.

Tools & Settings > Tools & Resources > Backup Manager

Server-level backup configuration and listing.

Domains > > Backup Manager

Domain-level backup configuration and listing.

For either, clicking on the backup name link gets you into the Restore Tool menu. Here you can restore whole sites, directories, databases, DNS zones, individual files, etc. The main Plesk backup restore also has: Subscription, Mail Account, Database, and Mailing Lists.

All other backup information can be found and referenced here:

Plesk on Linux - Backups

Plesk CLI

Recover User password link. This will give a one time link for the customer to use to log into plesk and change their password.

plesk login <$USERNAME>

Change the language of the plesk panel:

plesk bin admin -u -locale en-US

View all Registered php handlers within plesk

plesk bin php_handler --list

List users using php handler (ID can go grabbed from the above command)

plesk bin php_handler --get-usage -id cgi
plesk bin php_handler --get-usage -id fpm
plesk bin php_handler --get-usage -id fastcgi
plesk bin php_handler --get-usage -id plesk-php54-fpm
plesk bin php_handler --get-usage -id plesk-php55-fpm
plesk bin php_handler --get-usage -id plesk-php56-fpm

Plesk Installations & Upgrades

If you simply need to upgrade Plesk to the latest current minor revision or add a module (such as a new webmail type), you can do this on any Plesk box 9.0 and later:


You can also upgrade Plesk through the Plesk panel, and these are generally safe to upgrade, from 11 to 12, and from 12 to 17 (CentOS 6.x and higher)

 Plesk > Tools & Settings > Updates and Upgrades, then click Install or Upgrade Product to upgrade the Plesk version

One some new Plesk nginx kicks, you may see a rather large red error in the Plesk panel, like so:

Internal error ;-P    [<---yes, it actually says this]

<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8">
    <meta http-equiv="x-ua-compatible" content="ie=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>502 Bad Gateway</title>
    <link rel="stylesheet" href="/error_docs/styles.css">
    <div class="page">
      <div class="main">
        <div class="error-description">
          <h1>Server Error</h1>
          <div class="error-code">502</div>
          <h2>Bad Gateway</h2>
          <p class="lead">Web server received an invalid response while acting as a gateway or proxy server.</p>
          <p>If you think this is an error, please <a href="" target="_blank">let us know</a> so we can fix it!</p>
          <p>That's what you can do</p>
          <div class="help-actions">
            <a href="javascript:location.reload();">Reload Page</a>
            <a href="javascript:history.back();">Back to Previous Page</a>
            <a href="/">Home Page</a>
        <div class="help-links">
          <a href="" class="help-link" title="Report a problem" target="_blank">
            <div class="icon report"><svg><use xlink:href="/error_docs/symbols.svg#report"></use></svg></div>
          <a href="" class="help-link" title="Documentation" target="_blank">
            <div class="icon documentation"><svg><use xlink:href="/error_docs/symbols.svg#documentation"></use></svg></div>
          <a href="" class="help-link" title="Knowledge base" target="_blank">
            <div class="icon knowledge-base"><svg><use xlink:href="/error_docs/symbols.svg#knowledge-base"></use></svg></div>
          <a href="" class="help-link" title="Forum" target="_blank">
            <div class="icon forum"><svg><use xlink:href="/error_docs/symbols.svg#forum"></use></svg></div>
          <a href="" class="help-link" title="YouTube" target="_blank">
            <div class="icon youtube"><svg><use xlink:href="/error_docs/symbols.svg#youtube"></use></svg></div>
          <a href="" class="help-link" title="Facebook" target="_blank">
            <div class="icon facebook"><svg><use xlink:href="/error_docs/symbols.svg#facebook"></use></svg></div>
    <script defer src="/error_docs/svgxuse.min.js"></script>

This can be fixed with a simple service sw-engine restart from the command-line or an uninstall/reinstall of nginx in Plesk > Tools & Settings > Updates and Upgrades.

If you need further assistance, or are trying to install Plesk for the first time on a server, please refer to the installation and upgrade wiki.

Plesk Licenses - upgrading and replacing

Currently Plesk 12, and Onyx are supported, while Plesk 11 and earlier are EOL. If a customer is still running Plesk 11 or earlier, suggest upgrading.

Plesk 8 and 9 used a specific license structure, while 10 and above use a completely different license setup. Please refer to the Plesk License wiki for additional information.

Web Pro is now the standard license, and offers more features for the customer. If you're working on a Web Admin server for any reason, please update the license per the above wiki link!

NOTE: You will be forced to upgrade the license when upgrading to Plesk 10.x+ for the first time.

Plesk SSL Management & Installation

Plesk has no native AutoSSL equivalent, but Let's Encrypt can be added via Extensions (left menu bar) and works for both domain and hostname SSLs!

Generating A CSR

You can perform the following command:

openssl req -new -nodes -keyout mydomain.key -out domain.csr

This will create the CSR and private key. Keep owned by root.

You can also generate the CSR from Plesk

 by clicking the 'Request' button while adding a new Certificate for the domain.  Remember to change the Certificate Name at the top, so you know what SSL to enable later.

Installing an SSL for a domain

When you have the SSL you would like to install

 Domains (or Websites & Domains) > $domain.tld > SSL Certificates 

You will have the option to either select a current SSL to update, or Add SSL Certificate. After selecting the SSL (or new cert) you can "Upload certificate files" or "Upload certificate as text."

After installing the SSL, you will need to tell Plesk what certificate to use, and you can do this in:

 Domains (or Websites & Domains) > $domain.tld > Hosting Settings, in the Security section.

Installing an SSL for Plesk Services

This guide will help you install a Trusted (purchased) SSL for Plesk core services (PSA,IMAP,POP,SMTP).

Generate CSR and Purchase Certificate.

 Tools & Settings > SSL Certificates > Add SSL Certificate

Fill out necessary information to generate CSR and KEY - Please ensure that you set "Domain name" to the servers hostname

Install the Certificate

Tools & Settings > SSL Certificates, then select the SSL you created earlier Add the Certificate and CA certificate from the issuer, and click Upload Certificate

 If this is Onyx (17), you can click the [Change] link next to: Certificate for securing Plesk  and: Certificate for securing mail, then select the certificate to use
 If this is 12.5, you can click on the checkbox for the certificate you want to use, then click Secure Plesk
 This does not cover the mail connections, just the panel connections, so there are a few more steps to finish

Installing the certificate for securing mail (12.5)

SSH into the server then verify the server is using Postfix:

 /usr/local/psa/admin/sbin/mailmng --features | grep SMTP_Server

Then back up the files we need to replace, /etc/postfix/postfix_default.pem and /etc/dovecot/private/ssl-cert-and-key.pem :

 cp /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.bak
 cp /etc/dovecot/private/ssl-cert-and-key.pem /etc/dovecot/private/ssl-cert-and-key.pem.bak

For Courier, the files should be /usr/share/imapd.pem and /usr/share/pop3d.pem:

cp -a /usr/share/imapd.pem{,.bak}
cp -a /usr/share/pop3d.pem{,.bak}

After backing up these files, we need to replace the certificate details in them. The files should look kinda like the following except the actual characters where [CONTENTS] is. Key, Cert, then CA bundle:

 -----END PRIVATE KEY-----

Then restart the services to finish:

 systemctl restart postfix.service
 systemctl restart psa.service
 /usr/local/psa/admin/sbin/mailmng --restart-service

For Courier:

service courier-imapd restart
service courier-pop3d restart

Ports and Networking

Plesk Firewalls

APF Firewall

Automated Installer

  wget -O /scripts/
  chmod +x /scripts/

This script will automatically configure the right ports open in the firewall before starting it, avoiding the constant issue of Plesk crashing when closing their license ports

Plesk Firewall Module

In Plesk 12:

Plesk -> Tools & Settings -> Updates & Upgrades -> Add/Remove Components

You can add the "Firewall" Module and "Fail2Ban" but at this time it looks like these can not be used to manually block ip's and don't integrate with CSF.

In older versions of Plesk:

Run the Plesk installation and upgrade tool either inside Plesk in the 'updates' section or via command line the installer tool or from the command line:

/usr/local/psa/admin/bin/modulemng --install --file=/opt/modules/firewall.rpm

Edit the firewall from Modules > Firewall > Edit Firewall Configuration

Plesk Networking

Here are the basic ports needed for Plesk:

PLESK PANEL::TCP 8443, 8880
VPN::UDP 1194
HTTP::TCP 80,443
SMTP::TCP 25,465
POP3::TCP 110,995
IMAP::TCP 143,993
MySQL::TCP 3306
Postgres::TCP 5432
Licensing Server::TCP 5224
BIND::UDP 53::TCP 53

The full list of ports from Plesk:

Plesk Health Monitor

We have a few commands/logs/conf files to help with the Health Monitor



Services Stop:

/etc/init.d/sw-collectd stop


/etc/init.d/sw-collectd start


/etc/init.d/sw-collectd restart