Important SSL It! Extension

[Ruslan Kosolapov]

Hi! We've released the first version of the SSL It! extension. https://ext.plesk.com/…/3c4117f6-c05c-4d3b-9173-60f10096a9c…

The goal of the extension is to cover SSL-related aspects.

In this version you can:
1. overview the status of SSL certificates for the domain, including subdomains and domain aliases;
2. request an SSL certificate using one of the installed CA plugins (for now, there are plugins for Let's Encrypt and DigiCert). SSL It! unifies the user experience, so, now it doesn't matter what CA do you prefer, LE or DigiCert, the UX will be the same. Also, because of unification, DigiCert certificates are now available for end-users (Resellers and Clients).



As you may notice, the version number is 0.9. What features you would expect us to add so we can proudly number the next release v1.0?

 

[Ruslan Kosolapov]

Also, what do you think about the icon?

 

[Ruslan Kosolapov]

A teaser What do you think?

 

[Brujo]

Well Icons should have somethings to do with certs and Users are familar with but thats my personal opinion. A bit confusing for Users is in the website panel that 2 function with the same name exist SSL/TLS Certificate - one should be inough. In general I like the replacement, functions and the teaser... Sad that the response to the poll wasnt high

 

[Dukemaster]

Sad that the response to the poll wasnt high

Now, You have also my vote and votes of hundreds others, too.
The response is normal, because nobody knows about this poll!
Why?
Because we are all overloaded by informations from Internet, from all over the world, from all kinds of services, real life and/or virtual world, from the manufactor of the bed in which we sleep up to the work we do, health, or in my case, the versions of software I translate every day and night. So, we are all overloaded...mostly by sh** from social media (which I don't use any longer for the waste, bad thoughts and stress which is created in my brain)

Two years ago @IgorG created a new kind of blog here inside the forum, a few months later he deleted it because of less resonance. But knowbody has known about the blog. Perhaps it would be nice to emphasize and highlight new features. I would have liked this blog, a pretty good and competent idea.

Lots of greets ladies & gentlemen

 

[Ruslan Kosolapov]

Hi all. The new version of SSL It! has been released.

Full changelog: Change Log for Plesk

SSL It! 1.0

SSL It! - Plesk Extensions


Highlights:

• Indicator that shows the current TLS/SSL status of your domain right on the Domain Overview page:

• Improved certificate selection screen. Now there are four options to choice (before there were 20+), every option has a clear description. The list of options and their descriptions can be configured via panel.ini (bonus: these options are documented in the Panel.ini Editor extension, so, you don’t need to lurk docs.plesk.com to configure this). So, now it’s quite easier to understand which certificate fits best.

• A number of TLS-related options now can be configured from TLS/SSL Certificates screen. Also, every options has a short description “what is this and why I need this”.
  • HTTP->HTTPS redirect. It’s a kind of shortcut for <domain> > Hosting Settings > Permanent SEO-safe 301 redirect from HTTP to HTTPS, but there is an unique option – redirect for WebMail (available only for Plesk Obsidian).

• HSTS. Before: can be configured by admin only via additional nginx settings (so admin should be experienced enough to set up it). Now: available for end-user via simple switcher.
• Keep Secured. Can be configured before via Subscription Customization screen that usually cannot be found by regular Plesk user
• OCSP Stappling (completely new feature)

• Shortcut to “TLS versions and ciphers by Mozilla” is shown for admin only (because it’s server-wide feature)
• The link to SSL Labs Test allows a user to quickly get the SSL rating for his website. To obtain A+ rating a user should turn on all the TLS options on the screen above, and sync TLS versions and ciphers with Mozilla free service.

• The “TLS versions and ciphers by Mozilla” feature allows admin to configure Plesk services (webserver, mailserver, panel and so on) according to recommendations from Mozilla. At that admin can choose the balance between security and availability for old browsers:

• Bugfixes

 

[Ruslan Kosolapov]

And yep - we've changed the icon

 

[IgorG]

Short video

 

[Hex]

I've test this extension extensively, the result is great (Issuing New Cets - Renew - Wildcard - HSTS etc.) very well organized and in one place.

Improved certificate selection screen. Now there are four options to choice (before there were 20+), every option has a clear description. The list of options and their descriptions can be configured via panel.ini (bonus: these options are documented in the Panel.ini Editor extension, so, you don’t need to lurk docs.plesk.com to configure this). So, now it’s quite easier to understand which certificate fits best.

It will be nice if we can change the URLs, we already offer it to our customers, so it's not make sense to send theme somewhere else.
The current option is only remove

[ext-sslit]
filteredProducts = free-vendor__free-example,letsencrypt__base

Thank you, It's great extension
Especially HSTS ,OCSP Stapling + Validation date.

 

[Ruslan Kosolapov]

Hi!

We’ve released SSL It! 1.0.1 with a couple of bugfixes.

Changelog:

1.0.1 (11 July 2019)

• [-] If SLL It! is available for a domain, the domain screen in Websites & Domains can no longer show the duplicate "SSL/TLS Certificates" link that leads to the old interface for managing SSL/TLS certificates. (EXTSSLIT-535)
• [-] TLS protocols and ciphers can now be again synced with Mozilla: a more stable configuration of protocols and ciphers is used at the moment. (EXTSSLIT-539)

 

[Martin73]

I found an irregularity. After activation of HSTS, the result is as follows: Strict-Transport-Security max-age=15768000 max-age=15768000; includeSubDomains
The max-age is double!

Ubuntu 18.04.3 LTS‬
Plesk Onyx 17.8.11

 

[Ruslan Kosolapov]

Hi!

We’ve released SSL It! 1.2.0
https://ext.plesk.com/packages/3c4117f6-c05c-4d3b-9173-60f10096a9c4-sslit



Notes about the mail domain securing:

Note 1: SSL It! doesn’t check that the certificate is suitable for the mail domain. The checkbox means “after the certificate issuing, assign the received certificate to the mail domain.

Bad news: there is no magic – if the certificate doesn’t cover mail.domain.com and if you instruct your mail users to use mail.domain.com in their mail clients, your users will face the TLS security warning. It’s how TLS works. To use mail.domain.com, you have to issue a wildcard certificate; this is the only solution for now.

Good news: by default, Plesk recommends using domain.com (not mail.domain.com); in this case, the certificate for web domain is ok for mail domain. So, in most cases, all should work well – you enable the checkbox, and get your web domain and mail domain secured.

Note 2: for now, the Keep Secured feature doesn’t secure the mail domain. Probably, we’ll fix this in the future.

Note 3: Autorenewal works for mail domains.

Note 4: I remind you that SNI for mail is available since Obsidian, and only for MailEnable and Postfix+Dovecot.

Full changelog:
1.2.0 (26 December 2019)

• [+] The SSL It! extension can now be used to secure the mail service for the domain with the domain's SSL/TLS certificate.
• Sped up the generation of web server configuration files for domains secured via SSL It!
• Updated the list of trusted root certificates with those from Mozilla CA bundle.
• [-] Unnecessary messages about wildcard certificate renewal failure are no longer sent to users from Plesk servers with the DNS service disabled. (EXTSSLIT-610)
• [-] The title and description of SSL/TLS certificates other than those issued by Let's Encrypt can now again be changed by editing the panel.ini file. (EXTSSLIT-604)
• [-] The extension no longer randomly crashes on servers where it was used to issue a large number of SSL/TLS certificates (1000 or more). (EXTSSLIT-609)
• [-] An unclear error message is no longer shown when SSL It! is unable to connect to the Let's Encrypt server for a long time. (EXTSSLIT-614)
• [-] Additional subscription users now have access to the SSL It! extension. (EXTSSLIT-619)
• [-] Clarified the text under the SSL It! button in the Plesk interface. (EXTSSLIT-621)
• [-] Resolved a number of compatibility issues with Plesk Obsidian.

 

[MicheleB]

Hello,
I've this problem:
Issue - FTP with TLS/SSL, certificate is not trusted

Someone told me that is necessary to use fullchain instead of chain.pem because:
----------
There is a small error: Your certificate chain is incomplete.
Certificate chain
0 s:CN = mydomain.com
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Your server doesn’t send the intermediate Letsencrypt certificate.
It should be useful to know because the intermediate certificate isn’t installed.
Use fullchain instead of chain.pem.
----------

The question is... where and how can I change chain.pem with fullchain? If is possible, is safe to change it?
Thanks!