• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs SSL It! reports that security can be improved even though all security measures are in place.

O

obendev

Basic Pleskian
Username: obendev

TITLE

SSL It! reports that security can be improved even though all security measures are in place.

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.33_build1800210123.00 os_Ubuntu 18.04
Let's Encrypt 2.12.5-693
SSL It! 1.7.7-1038

PROBLEM DESCRIPTION

The SSL It! reports that security can be improved even though all security measures are in place.

g9DTjWv.png

DOEODFM.png


STEPS TO REPRODUCE

I'm not 100% sure what this is related to, but it seems like that this happens when you
  1. disable the webmail service for the given domain
  2. let the certificate renew automatically
Maybe you have to play around with either enable the webmail service on domain creation and assign the certificate immediatly to the domain when issuing the certificate, after that disable the webmail service and let the certificate renew automatically or just don't attach one in the first place.

ACTUAL RESULT

SSL It! reports that security can be improved even though all security measures are in place.

EXPECTED RESULT

SSL It! should notice that webmail is disabled and there is no need to assign the certificate to the disabled webmail service.

ANY ADDITIONAL INFORMATION

We have this problem on several domains and on several servers.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
The developers reported that they cannot reproduce the issue.
You can give more details about reproduction or contact Plesk technical support team.
 
I also noticed that this remark (security can be improved) showed up for most domains lately. Configuration is all the same.
I reissued the certificate for one of the domains and that shows now 'safe and sound!'.

So i expect when the certificates are renewed automaticaly the next time all will be 'Safe and sound!' again.
 
It did not work for most sites that renewed automatically, so (re) re-issuing via the plesk user interface does return the 'Safe and sound!' message.
 
Even after "safe and sound" has popped up, the next day it is again "security can be improved".
I just ignore this false message.
 
Hi, I can confirm the same issue. On multiple servers. CentOS 7, Plesk 18.0.38 Update #2. Been having this issue for a while.

Go in, turn off OCSP stapling, turn it on again, and the issue is solved (for the moment)
Go in, turn off HSTS, turn back on, issue is solved (for the moment)

Things that may play a role: Sectigo extension is removed completely. Panel.ini entries that may play a role in it:

[ext-letsencrypt]
rsa-key-size = 4096
secure-new-domain = true
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"
key-algorithm = ECDSA

[ext-sslit]
enableSecuringNewDomain = true

Will watch a specific domain where I just had to do above and see if we can't pin it down further.
 
We confirm that this is SSLit! bug with ID #EXTSSLIT-1746 which should be fixed in one of the future Plesk updates.
Note, this is a cosmetic bug, the waring can be safely ignored.
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2 3
Replies
48
Views
10K
gsk
gsk
P
Forwarded to devs SSL It! - inconsistent Let’s Encrypt branding
Replies
2
Views
1K
AYamshanov
AYamshanov
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
1K
deepnpisgah
D
M
Forwarded to devs Mail certificate is no longer assigned after it gets renewed by Let's Encrypt
Replies
16
Views
6K
Maarten
M
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
2K
Lenny
Lenny
Back
Top