• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved OCSP Stapling for the Plesk Panel

Lloyd_mcse

Lloyd_mcse

Silver Pleskian
Plesk Guru
Hi guys,
I've been thinking about adding OCSP to the Plesk Panel, but I wasn't sure of the best way to do it.
I think I could just add the directives to...

Code: 
/etc/sw-cp-server/conf.d/plesk.conf

Or I was thinking I could add these directives to a file called

Code: 
/etc/sw-cp-server/conf.d/ocsp.inc

and add a link in the plesk.conf file, eg...

Code: 
include conf.d/*ocsp.inc;

I have decided to go with the latter and it's all working.
So that's great, HSTS and OCSP enabled on my Plesk port, I use one domain for Plesk.

I'm using Ubuntu 12.04.4 LTS and Plesk 11.5.30 #37

I hope this helps someone else.
Regards

Lloyd
 
Last edited:
To add a bit more to this, the file /etc/sw-cp-server/conf.d/ocsp.inc contains...

Code: 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/Domain_CA.pem;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;

And Domain_CA.pem contains...

Code: 
the domains Intermediate certificate
the domains Root Certificate

In that order.
I hope it helps.
Regards

Lloyd
 
With the introduction of Let's Encrypt to Plesk and the fact that the cert changes every 60 days... How would you suggest implementing OCSP?

The latest version of the Let's Encrypt Extension 2.0.2 Release 29 adds their certificates to a directory...
/usr/local/psa/var/modules/letsencrypt/etc/live/yourdomainname.tld

The name remains the same throughout certificate renewals.

I have added the following into the nginx additional directives... however, it isn't working. I replaced domain.tld with my actual domain.tld. I also validated that these files exist at the specified locations.

ssl_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld/fullchain.pem;
ssl_certificate_key /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
 
Hi Walter,

pls. be aware, that this thread is about "OCSP Stapling for the Plesk Panel" and in addition for "Plesk 11.x for Linux"

... and not for your domain - specific nginx configuration files.


Even with Let's Encrypt certificates, the mentioned suggestion still works as described by @Lloyd_mcse for the Plesk Control Panel and you would certainly use the domain - specific "chain.pem" for the definition at "ssl_trusted_certificate". ;)
 
You must log in or register to reply here.

Similar threads

F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
437
Peter Debik
P
A
Issue All Websites Down and Plesk Panel Not Reachable After Restarting Nginx. Have SSH Access, Plesk Repair Not Working
Replies
16
Views
1K
Peter Debik
P
M
Issue All websites stopped after Plesk changed /etc/nginx/conf.d/ssl.conf and added ssl_dhparam /opt/psa/etc/dhparams2048.pem;
Replies
0
Views
657
mr-wolf
M
learning_curve
Issue Plesk Updates | GUI Plesk Panel ✔️ | CLI ✔️ | Cron ❌ - Close But No Cigar
Replies
15
Views
1K
learning_curve
learning_curve
jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
3K
Maarten.
M
Back
Top