• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved OCSP Stapling for the Plesk Panel

Lloyd_mcse

Lloyd_mcse

Silver Pleskian
Plesk Guru
Hi guys,
I've been thinking about adding OCSP to the Plesk Panel, but I wasn't sure of the best way to do it.
I think I could just add the directives to...

Code: 
/etc/sw-cp-server/conf.d/plesk.conf

Or I was thinking I could add these directives to a file called

Code: 
/etc/sw-cp-server/conf.d/ocsp.inc

and add a link in the plesk.conf file, eg...

Code: 
include conf.d/*ocsp.inc;

I have decided to go with the latter and it's all working.
So that's great, HSTS and OCSP enabled on my Plesk port, I use one domain for Plesk.

I'm using Ubuntu 12.04.4 LTS and Plesk 11.5.30 #37

I hope this helps someone else.
Regards

Lloyd
 
Last edited:
To add a bit more to this, the file /etc/sw-cp-server/conf.d/ocsp.inc contains...

Code: 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/Domain_CA.pem;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;

And Domain_CA.pem contains...

Code: 
the domains Intermediate certificate
the domains Root Certificate

In that order.
I hope it helps.
Regards

Lloyd
 
With the introduction of Let's Encrypt to Plesk and the fact that the cert changes every 60 days... How would you suggest implementing OCSP?

The latest version of the Let's Encrypt Extension 2.0.2 Release 29 adds their certificates to a directory...
/usr/local/psa/var/modules/letsencrypt/etc/live/yourdomainname.tld

The name remains the same throughout certificate renewals.

I have added the following into the nginx additional directives... however, it isn't working. I replaced domain.tld with my actual domain.tld. I also validated that these files exist at the specified locations.

ssl_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld/fullchain.pem;
ssl_certificate_key /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
 
Hi Walter,

pls. be aware, that this thread is about "OCSP Stapling for the Plesk Panel" and in addition for "Plesk 11.x for Linux"

... and not for your domain - specific nginx configuration files.


Even with Let's Encrypt certificates, the mentioned suggestion still works as described by @Lloyd_mcse for the Plesk Control Panel and you would certainly use the domain - specific "chain.pem" for the definition at "ssl_trusted_certificate". ;)
 
You must log in or register to reply here.

Similar threads

F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
765
Peter Debik
P
A
Issue All Websites Down and Plesk Panel Not Reachable After Restarting Nginx. Have SSH Access, Plesk Repair Not Working
Replies
16
Views
2K
Peter Debik
P
M
Issue All websites stopped after Plesk changed /etc/nginx/conf.d/ssl.conf and added ssl_dhparam /opt/psa/etc/dhparams2048.pem;
Replies
0
Views
903
mr-wolf
M
learning_curve
Issue Plesk Updates | GUI Plesk Panel ✔️ | CLI ✔️ | Cron ❌ - Close But No Cigar
Replies
15
Views
2K
learning_curve
learning_curve
jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
3K
Maarten
M
Back
Top