Resolved OCSP Stapling with Letsencrypt per domain

[Dukemaster]

Hi, Plesk friends,
I want to improve SSL-integration by OCSP stapling for each domain.
Therefor I found an older thread with really good help by @Lloyd_mcse and @UFHH0.
So I followed these instructions by this way:

1. First I created "stapling" folder in

/etc/ssl/stapling

2. Downloaded one domain chain.pem file and (re)named it to "Lets-Encrypt-Authority-X1.pem".

By comparing chain.pem files I realized that the content of the chain.pem file is always the same for all domains. Or in other words all domains have the same content of chain.pem.​

3. Then I uploaded the new Lets-Encrypt-Authority-X1.pem (former chain5.pem) to

/etc/ssl/stapling

4. For the the last step I added

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/stapling/Lets-Encrypt-Authority-X1.pem;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

to Domains > domain.tld > Apache & Nginx Settings > Additional nginx directives

The result for all domains secured by Letsencrypt on SSLlabs.com seems to be OK for (only) 1st certificate).
But I'm not sure if I've done everything what is needed.
Because in this thread @UFHH01 wrote about the integration of the fullchain.pem file. And I'm also unsure about the fact that @Lloyd_mcse said:

containing the Intermediate (Let's Encrypt Authority X3) and the Root CA (DST Root CA X3) and upload them to the folder

As you can see on my second screenshot, I've only the Lets-Encrypt-Authority-X1.pem in folder "stapling".
And the content of it is only one certificate code, not two?
Did I make a mistake or forget something else according to this two certificates?

Lots of greets

 

[UFHH01]

Hi Dukemaster,

there is no need to download the specific chain.pem and you totally missed, that IF you do that, you have to include the specific Let's Encrypt certificate to your downloaded chain.pem ( now named by you as "Lets-Encrypt-Authority-X1.pem" ), before you upload it again to your desired path: => "/etc/ssl/stapling/" .
You "liked" the post => https://talk.plesk.com/threads/ocsp-stapling-with-nginx-issue.339339/#post-808318 , but you didn't follow the steps, provided by @Lloyd_mcse .

But ( and here is your real "easy" solution! ): Why don't you just use the symlink "/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM/fullchain.pem" ( which is ALWAYS the latest chain.pem and the current root CA, provided by Let's Encrypt ) ? Just verify with the command:

ls -lah /usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM

... so that you are able to understand, WHERE the symlink links to and inspect as well the file "fullchain.pem"

cat /usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM/fullchain.pem

... to make sure, that you see, that this *.pem includes not only your (sub)domain - specific certificate, but as well the needed root CA.


In addition, you wrote:

(only 2nd certificate).

... which leads to the fact, that your IP - specific certificate ( => HOME > Tools & Settings > IP Addresses > YOUR-IP-ADDRESS ) might differ to the one for your (sub)domain and your (sub)domain specific ( and additional ) OCSP configuration will certainly not work for the IP - based certificate. To reach the goal to include OCSP stapling for the IP - based certificate, you have to change/modify the IP related webserver configuration file.

By comparing chain.pem files I realized that the content of each domain chain.pem file is always the same.

Surprise, surprise... the chain.pem ( => root CA certificate from Let's Encrypt ) doesn't change very often.

Pls. see => Chain of Trust - Let's Encrypt - Free SSL/TLS Certificates to verify all existent root certifcates, which are currently provided by Let's Encrypt.

Final informations:

The Let's Encrypt *.pem 's and it's content can be described very easy with this description:

cert.pem => the "real" (sub)domain - specific certificate
chain.pem => the root CA, needed to verify the cert
fullchain.pem => cert.pem + chain.pem merged together as one file
privkey.pem => the private key, needed to verify the cert​

 

[Dukemaster]

Thanks for your amazing help, @UFHH01.
I wonder why I get no output by the command you posted in the other thread?
But by making the Test on SSLLAB it works fine. You can watch it by yourself if you want with SSL Server Test: www.chattergallery.com (Powered by Qualys SSL Labs)
I had this successful output on Qualys also by the tutorial by Lloyd (only with the chain.pem).
But the solution with fullchain.pem, you suggested, seems to be a lil better, because there is no need to put any .pems in the /stapling folder and replace it when they change somewhere in future. I guess this folder won't be necessary any longer and I can delete it.
Here my new additional nginx input powered by your help:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/domain.com/fullchain.pem;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

I can't believe that it is nothing more to do as the code above for each domain. ^
I also wonder why I already got a successful OCSP stapling Yes only with the chain.pem and no CA included?
Together with my first wondering about no output by the OSCP stapling test command it leads to the point that the output by Qualys is not sooo correct, right?

What you wrote about the 2nd cert which is the default PLESK certificate by installation is quite interesting. I made much testing around it, for example tried to use a Starter-SSL (one free by 1and1 for one domain).
I hope and wish that one time Letsencrypt and PLESK will work in the most perfect way that you can use Letsencrypt certificate for securing the standard IP address.
Since two weeks I changed my additional second IPv4 shared, not dedicated, in order to bring own DNS to the best possible solution in my environment.
Last but not least it would be great if there would be a tutorial how to set up OCSP stapling for IP-based certificate...

Greets and thanks

 

[UFHH01]

Hi Dukemaster,

I hope and wish that one time Letsencrypt and PLESK will work in the most perfect way that you can use Letsencrypt certificate for securing the standard IP address.

This IS already possible. Just make sure, that the IP reverses to a "main" domain and use the very same certificate by creating a new one with for example:

plesk bin certificate -c "Lets Encrypt IP MULTI chattergallery.com" -admin -key-file /usr/local/psa/var/modules/letsencrypt/etc/live/chattergallery.com/privkey.pem -cert-file /usr/local/psa/var/modules/letsencrypt/etc/live/chattergallery.com/cert.pem -cacert-file /usr/local/psa/var/modules/letsencrypt/etc/live/chattergallery.com/fullchain.pem

I called it "IP MULTI" with the "main domain" chattergallery.com, because you currently have additional domains as alternatives names "chattergalerie.eu chattergallery.com www.chattergalerie.eu www.chattergallery.com" included.

 

[Dukemaster]

Thanks so much @UFHH01 . It's amazing. I wonder why such great help are not in the basic support articles of PLESK. Perhaps you can write them. Lots of people will be thankful. I also everytime I read something in the whole Plesk Support. Many people who do a great job.

To your help:
According to that what you told me best to do few weeks ago with hostname: Here my configuration:
First IPv4 (standard PLESK + 1and1) reverses to server.arox.eu in domain/IP-panel of 1and1. server.arox.eu I set as hostname in Plesk server settings. I also will use the certificate of this domain for securing Plesk panel and Email in Plesk - SSL/TLS-Certificates.
Today it's the best time to follow your instruction, because:
Last night I deleted all certificates because I had around double and tripple entries [much nameservers entries (ns1..ns2..)] in database, all orphans and one NULL entry. I followed the great tutorial by @EugeneKazakov for the second time during the last week.
Would it be okay to do your command only and especially for subdomain/hostname server.arox.eu?
I think this is the right way.
Or is it better to change the reverse mapping to arox.eu and create the certificate as IP Multi arox.eu?

Great! Thanks for help

 

[UFHH01]

Hi Dukemaster,

I personally would choose a certificate for multiple (sub)domains, while the basic validated domain name should be "arox.eu". To include the "hostname" of your server, just create a subdomain "server.arox.eu", to include the subdomain "mail.arox.eu", just create another subdomain with the name "mail" ... and when you are finished with creating all subdomains, simply use the "--expand" command, so that the initial Let's Encrypt certificate for the domain "arox.eu" can now be expanded with all created subdomains:

plesk bin extension --exec letsencrypt cli.php -d arox.eu -d www.arox.eu -d mail.arox.eu -d server.arox.eu --email [email protected] --expand --webroot-path "/var/www/vhosts/arox.eu/httpdocs"

Simple... or what do YOU think? ^^

 

[Walter]

You should be able to simplify your OCSP by only including the following...

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

 

[UFHH01]

Hi @Walter ,

thank you for your input, but he already reached his goal at => #3 . @Dukemaster just expanded the thread with additional questions, instead of opening a new thread for his additional questions ( not related to the topic ).

 

[Dukemaster]

Wow...
THANKS A LOT @UFHH01
I had to delete once more all arox related certificates. Once more I followed your instructions.
But this time the other way.
First I made the last step creating domain certificate for all sub-domains + main domain.
Then I did the mega goal which you explained in the first tutorial.
Creating the MULTI-IP-CERTIFICATE.with the related certification parts of the existing domain cert.
Took me reading your postings 4 times until I fully understood what I have to do.
Sorry for my last posting, just deleted it.
Heaven for You, @UFHH01

PLESK is sooo amazing - PLESK is so great... I love it...

 

[Dukemaster]

Made the test on Qualys again and was surprised that the second certificate, now by Letsencrypt, is still marked as "Not trusted".
How can this be true? Can't believe it.
But it couldn't wipe my happiness away. I also can't believe that TLD ".eu" has still only grade A.
Other TLDs like .com, .de, .net have A+.
I mentioned this already weeks ago, this belongs to Qualys, never to misconfigurations or Plesk.