• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue OCSP Stapling seems only working with www version of a domain

K

Khorne

New Pleskian
Hi,

I'm currently running Plesk Obsidian 18.0.41 with Apache and Nginx reverse proxy. I'm trying to use OCSP Stapling for a domain using the following directives:

Code: 
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

Then going on https://www.ssllabs.com/ssltest/ to check if OCSP Stapling is correctly on.

SSLlabs keep telling that OCSP Stapling is not on if I check my domain without www. But if I make the check with www, then OCSP Stapling is then on.

Any idea how to enable OCSP Stapling also for the non www version of my domain ?

Regards
 
I am not sure about the ssl_stapling on; and ssl_stapling_verify on; directives. But have you tried the native OCSP Stapling option in Plesk? When I test the results on SSLlabs for a domain with the native OCSP Stapling enabled it seems to work for the domain both with and without the www prefix.
Schermafbeelding 2022-02-03 om 20.11.58.png
 
Last edited:
@Khorne Asssuming that you've adding those directives in "Additional nginx directives" and not in "Additional Apache directives", with your chosen setup, it should work, exactly as intended. It does for us, on both TLD and WWW for all hosted domains. Using the alternative method that @Rasp has provided will also work perfectly, but it's one OR the other. Not both methods. If your setup is as you have indicated, then you'll get the following (correct) message with the SSL It area on each domain, together with the green tick / icon confirming that the OCSP Stapling function is enabled:
Enhances the privacy of website's visitors and improves the website performance. The web server will request the status of the website's certificate (can be good, revoked, or unknown) from the CA instead of the visitor's browser doing so. You can't manage this setting because appropriate params are specified in an Apache & Nginx Settings.
Click to expand...
Depending on who / what / where / which server / OS you're hosting on etc, you might want to look again at those directives. People often use more that one provider for the resolver and, the resolver_timeout value in seconds, does vary and/or is just intentionally omitted by some.
 
You must log in or register to reply here.

Similar threads

F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
765
Peter Debik
P
P
Input Issues with Google DNS and name resolution of Let's Encrypt OSCP servers -> hanging Nginx reload and "nginx -t"
Replies
4
Views
2K
thinkjarvis
T
P
Issue OCSP Stapling seems not to work
Replies
1
Views
2K
Physicus
P
S
Question OCSP Stapling with Apache and Nginx Reverse Proxy
Replies
6
Views
2K
sall10
S
TimReeves
Issue Debian 10 Nginx fails to start - missing ssl_stapling resolver
Replies
0
Views
2K
TimReeves
TimReeves
Back
Top