Is it possible to enable OCSP Stapling?

Follow

Comments

8 comments

  • Avatar
    Lars Doe

    "it has to be assigned an IP"

    This doesn't seem to be necessary. I also didn't put the "SSLUseStapling" into the domain's additional directives, but into the same file as the "SSLStaplingCache".

    Test with SNI (-servername) is crucial:

    echo QUIT | openssl s_client -connect example.com:443 -servername example.com -status 2> /dev/null | grep -A 17 'OCSP'

     

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hello @Lars Doe.

     

    Thank you very much for the feedback, the I have made some adjustments to the article based on it.

    0
    Comment actions Permalink
  • Avatar
    Cfaessler

    Dear Plesk Supporter

    This seems to be a tutorial for CentOS.
    We have servers that use Debian.

    What is the equivalent for " /etc/httpd/conf.d/ssl.conf " in the directory " /etc/apache2/conf.d/ " if there is no file ssl.conf ?

    Best regards

    Cyrill Fässler
    System Operator

    hosttech GmbH

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hello @Cfaessler.

    As far as I can see, on Debian it should be /etc/apache2/mods-enabled/ssl.conf file.

    0
    Comment actions Permalink
  • Avatar
    Andreas Schneider (Edited )

    Is "ssl_trusted_certificate /full/path/to/fullchain.pem;" really necessary?

    "The directory above is NOT needed to enable OCSP with Plesk if you have certificates setup for your domain."
    Source 1: https://community.letsencrypt.org/t/latest-le-extension-plesk-and-ocsp/31140/8
    Source 2: https://talk.plesk.com/threads/ocsp-stapling-with-letsencrypt-per-domain.343585/#post-828748 

    I tested the configuration without the directory and slllabs.com says it works.

    Please update your tutorial if I'm right.

    Best regards
    Andreas

     Additional information: The Let's Encrypt Extension is installed in my Plesk...don't know if this makes a difference.

    1
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hello, @Andreas Schneider!

    Thank you very much for your feedback.

    Yes, in current implementation of Plesk this part is not required.

    I have adjusted the article, thank you again for noticing it!

    0
    Comment actions Permalink
  • Avatar
    Jan

    Do I have to revert my manual setup, from before?

    I have now installed the extension, but from the previous guide, this is my current config in nginx.conf:

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/trustchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    0
    Comment actions Permalink
  • Avatar
    Alexandr Nikolaenko

    Hello @Jan!

    Yes, it is required to remove all manually added entries regarding OSCP stapling before applying automated solution via "SSL It!" extension.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request