On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at MyPlesk.com/Plesk360/Platform360 please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

Is it possible to enable OCSP Stapling for a domain in Plesk?

Follow

Comments

8 comments

  • Avatar
    Andreas Schneider (Edited )

    Is "ssl_trusted_certificate /full/path/to/fullchain.pem;" really necessary?

    "The directory above is NOT needed to enable OCSP with Plesk if you have certificates setup for your domain."
    Source 1: https://community.letsencrypt.org/t/latest-le-extension-plesk-and-ocsp/31140/8
    Source 2: https://talk.plesk.com/threads/ocsp-stapling-with-letsencrypt-per-domain.343585/#post-828748 

    I tested the configuration without the directory and slllabs.com says it works.

    Please update your tutorial if I'm right.

    Best regards
    Andreas

     Additional information: The Let's Encrypt Extension is installed in my Plesk...don't know if this makes a difference.

    1
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hello, @Andreas Schneider!

    Thank you very much for your feedback.

    Yes, in current implementation of Plesk this part is not required.

    I have adjusted the article, thank you again for noticing it!

    0
    Comment actions Permalink
  • Avatar
    Lars Doe

    "it has to be assigned an IP"

    This doesn't seem to be necessary. I also didn't put the "SSLUseStapling" into the domain's additional directives, but into the same file as the "SSLStaplingCache".

    Test with SNI (-servername) is crucial:

    echo QUIT | openssl s_client -connect example.com:443 -servername example.com -status 2> /dev/null | grep -A 17 'OCSP'

     

    0
    Comment actions Permalink
  • Avatar
    Alexandr Nikolaenko

    Hello @Jan!

    Yes, it is required to remove all manually added entries regarding OSCP stapling before applying automated solution via "SSL It!" extension.

    0
    Comment actions Permalink
  • Avatar
    Cfaessler

    Dear Plesk Supporter

    This seems to be a tutorial for CentOS.
    We have servers that use Debian.

    What is the equivalent for " /etc/httpd/conf.d/ssl.conf " in the directory " /etc/apache2/conf.d/ " if there is no file ssl.conf ?

    Best regards

    Cyrill Fässler
    System Operator

    hosttech GmbH

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hello @Lars Doe.

     

    Thank you very much for the feedback, the I have made some adjustments to the article based on it.

    0
    Comment actions Permalink
  • Avatar
    Jan

    Do I have to revert my manual setup, from before?

    I have now installed the extension, but from the previous guide, this is my current config in nginx.conf:

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/trustchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hello @Cfaessler.

    As far as I can see, on Debian it should be /etc/apache2/mods-enabled/ssl.conf file.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request