• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved OCSP Stapling for the Plesk Panel

Lloyd_mcse

Silver Pleskian
Plesk Guru
Hi guys,
I've been thinking about adding OCSP to the Plesk Panel, but I wasn't sure of the best way to do it.
I think I could just add the directives to...

Code:
/etc/sw-cp-server/conf.d/plesk.conf

Or I was thinking I could add these directives to a file called

Code:
/etc/sw-cp-server/conf.d/ocsp.inc

and add a link in the plesk.conf file, eg...

Code:
include conf.d/*ocsp.inc;

I have decided to go with the latter and it's all working.
So that's great, HSTS and OCSP enabled on my Plesk port, I use one domain for Plesk.

I'm using Ubuntu 12.04.4 LTS and Plesk 11.5.30 #37

I hope this helps someone else.
Regards

Lloyd
 
Last edited:
To add a bit more to this, the file /etc/sw-cp-server/conf.d/ocsp.inc contains...

Code:
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/Domain_CA.pem;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;

And Domain_CA.pem contains...

Code:
the domains Intermediate certificate
the domains Root Certificate

In that order.
I hope it helps.
Regards

Lloyd
 
With the introduction of Let's Encrypt to Plesk and the fact that the cert changes every 60 days... How would you suggest implementing OCSP?

The latest version of the Let's Encrypt Extension 2.0.2 Release 29 adds their certificates to a directory...
/usr/local/psa/var/modules/letsencrypt/etc/live/yourdomainname.tld

The name remains the same throughout certificate renewals.

I have added the following into the nginx additional directives... however, it isn't working. I replaced domain.tld with my actual domain.tld. I also validated that these files exist at the specified locations.

ssl_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld/fullchain.pem;
ssl_certificate_key /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
 
Hi Walter,

pls. be aware, that this thread is about "OCSP Stapling for the Plesk Panel" and in addition for "Plesk 11.x for Linux"

... and not for your domain - specific nginx configuration files.


Even with Let's Encrypt certificates, the mentioned suggestion still works as described by @Lloyd_mcse for the Plesk Control Panel and you would certainly use the domain - specific "chain.pem" for the definition at "ssl_trusted_certificate". ;)
 
Back
Top