• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs SSL It! reports that security can be improved even though all security measures are in place.

O

obendev

Basic Pleskian
Username: obendev

TITLE

SSL It! reports that security can be improved even though all security measures are in place.

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.33_build1800210123.00 os_Ubuntu 18.04
Let's Encrypt 2.12.5-693
SSL It! 1.7.7-1038

PROBLEM DESCRIPTION

The SSL It! reports that security can be improved even though all security measures are in place.

g9DTjWv.png

DOEODFM.png


STEPS TO REPRODUCE

I'm not 100% sure what this is related to, but it seems like that this happens when you
  1. disable the webmail service for the given domain
  2. let the certificate renew automatically
Maybe you have to play around with either enable the webmail service on domain creation and assign the certificate immediatly to the domain when issuing the certificate, after that disable the webmail service and let the certificate renew automatically or just don't attach one in the first place.

ACTUAL RESULT

SSL It! reports that security can be improved even though all security measures are in place.

EXPECTED RESULT

SSL It! should notice that webmail is disabled and there is no need to assign the certificate to the disabled webmail service.

ANY ADDITIONAL INFORMATION

We have this problem on several domains and on several servers.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
The developers reported that they cannot reproduce the issue.
You can give more details about reproduction or contact Plesk technical support team.
 
I also noticed that this remark (security can be improved) showed up for most domains lately. Configuration is all the same.
I reissued the certificate for one of the domains and that shows now 'safe and sound!'.

So i expect when the certificates are renewed automaticaly the next time all will be 'Safe and sound!' again.
 
It did not work for most sites that renewed automatically, so (re) re-issuing via the plesk user interface does return the 'Safe and sound!' message.
 
Even after "safe and sound" has popped up, the next day it is again "security can be improved".
I just ignore this false message.
 
Hi, I can confirm the same issue. On multiple servers. CentOS 7, Plesk 18.0.38 Update #2. Been having this issue for a while.

Go in, turn off OCSP stapling, turn it on again, and the issue is solved (for the moment)
Go in, turn off HSTS, turn back on, issue is solved (for the moment)

Things that may play a role: Sectigo extension is removed completely. Panel.ini entries that may play a role in it:

[ext-letsencrypt]
rsa-key-size = 4096
secure-new-domain = true
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"
key-algorithm = ECDSA

[ext-sslit]
enableSecuringNewDomain = true

Will watch a specific domain where I just had to do above and see if we can't pin it down further.
 
We confirm that this is SSLit! bug with ID #EXTSSLIT-1746 which should be fixed in one of the future Plesk updates.
Note, this is a cosmetic bug, the waring can be safely ignored.
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
P
Forwarded to devs SSL It! - inconsistent Let’s Encrypt branding
Replies
2
Views
1K
AYamshanov
AYamshanov
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
630
deepnpisgah
D
M
Forwarded to devs Mail certificate is no longer assigned after it gets renewed by Let's Encrypt
Replies
11
Views
4K
Peter Debik
P
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
695
Lenny
Lenny
Back
Top