Applicable to:
- Plesk for Linux
Question
Is it possible to enable OCSP Stapling for a domain in Plesk?
Answer
For Plesk Onyx 17.8 and Obsidian for Linux
Note: This feature requires nginx to be installed and enabled: How to install and enable nginx reverse proxy on a Plesk for Linux server
Note: The certificate installed on the domain must contain both root certificate and all the intermediate certificates.
-
Install SSL It! extension in Extensions menu.
-
Navigate to Domains > example.com > Hosting Settings and make sure SSL/TLS support is enabled.
-
Navigate to Domains > example.com > SSL/TLS Certificates.
-
Click on the OCSP Stapling button:
Note: The certificate installed on the domain must contain both root certificate and all the intermediate certificates.
In case nginx is used:
-
Navigate to Plesk > Domains > example.com > Apache & nginx Settings and add the following configuration to the Additional nginx directives field:
CONFIG_TEXT: ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
In case nginx is not installed, or not running:
-
Connect to the server via SSH.
-
Add following string to
/etc/httpd/conf.d/ssl.conffile:CONFIG_TEXT: SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
-
Navigate to Plesk > Domains > example.com > Apache & Nginx Settings and add the following configuration to Additional directives for HTTPS field:
CONFIG_TEXT: SSLUseStapling on
In order to test whether OCSP stapling works properly on the domain, use the following command:
# echo QUIT | openssl s_client -connect example.com:443 -servername example.com -status 2>/dev/null | grep -A 17 'OCSP'
Comments
8 comments
"it has to be assigned an IP"
This doesn't seem to be necessary. I also didn't put the "SSLUseStapling" into the domain's additional directives, but into the same file as the "SSLStaplingCache".
Test with SNI (-servername) is crucial:
echo QUIT | openssl s_client -connect example.com:443 -servername example.com -status 2> /dev/null | grep -A 17 'OCSP'
Hello @Lars Doe.
Thank you very much for the feedback, the I have made some adjustments to the article based on it.
Dear Plesk Supporter
This seems to be a tutorial for CentOS.
We have servers that use Debian.
What is the equivalent for " /etc/httpd/conf.d/ssl.conf " in the directory " /etc/apache2/conf.d/ " if there is no file ssl.conf ?
Best regards
Cyrill Fässler
System Operator
hosttech GmbH
Hello @Cfaessler.
As far as I can see, on Debian it should be /etc/apache2/mods-enabled/ssl.conf file.
Is "ssl_trusted_certificate /full/path/to/fullchain.pem;" really necessary?
"The directory above is NOT needed to enable OCSP with Plesk if you have certificates setup for your domain."
Source 1: https://community.letsencrypt.org/t/latest-le-extension-plesk-and-ocsp/31140/8
Source 2: https://talk.plesk.com/threads/ocsp-stapling-with-letsencrypt-per-domain.343585/#post-828748
I tested the configuration without the directory and slllabs.com says it works.
Please update your tutorial if I'm right.
Best regards
Andreas
Additional information: The Let's Encrypt Extension is installed in my Plesk...don't know if this makes a difference.
Hello, @Andreas Schneider!
Thank you very much for your feedback.
Yes, in current implementation of Plesk this part is not required.
I have adjusted the article, thank you again for noticing it!
Do I have to revert my manual setup, from before?
I have now installed the extension, but from the previous guide, this is my current config in nginx.conf:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/trustchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
Hello @Jan!
Yes, it is required to remove all manually added entries regarding OSCP stapling before applying automated solution via "SSL It!" extension.
Please sign in to leave a comment.