Securing Connections with the SSL It! Extension¶
Watch the video tutorial
The SSL It! extension offers a single interface for keeping your websites secured with SSL/TLS certificates from the trusted certificate authorities (CAs) Let’s Encrypt and DigiCert (Symantec, GeoTrust, and RapidSSL brands) or with any other SSL/TLS certificate of your choice. You can also:
- Enhance the security of your website’s visitors via redirects from HTTP to HTTPS.
- Protect your website’s visitors by prohibiting web browsers from accessing the website via insecure HTTP connections.
- Protect the privacy of your website’s visitors and improve the website performance with OCSP Stapling.
- Make connections encrypted with SSL/TLS certificates more secure using protocols and ciphers generated by Mozilla.
Getting started with SSL It!¶
- The SSL It! extension is already installed by default.
- To take advantage of all SSL It! features, make sure that the latest versions of the DigiCert SSL and Let’s Encrypt extensions are also installed.
To manage an SSL/TLS certificate of a domain, go to Websites & Domains > your domain. You can see the current security status of the domain under SSL/TLS Certificates:
Securing websites with SSL/TLS certificates¶
With the SSL It! extension you can secure websites with free and paid SSL/TLS certificates (at the moment they are from DigiCert only) and also with SSL/TLS certificates you already own.
To secure a website with a free SSL/TLS certificate from Let’s Encrypt:
- Go to Websites & Domains > your domain > SSL/TLS Certificates.
- Click Get it free under “Entry-level protection”.
- Specify the email address that will be used for urgent notices and lost key recovery.
- Select what you want to secure in addition to the main domain:
- If you have the www subdomain and/or domain aliases, select the “Include a “www” subdomain for the domain and each selected alias” checkbox.
- If you use webmail, select the “Secure webmail on this domain” checkbox.
- If you have all of the mentioned above plus other subdomains, select the “Secure the wildcard domain (including www and webmail)” radio button.
- Click Get it free.
An SSL/TLS certificate from Let’s Encrypt will be issued and automatically installed.
Note
If you secure a domain with an SSL/TLS certificate from Let’s Encrypt and then add new domains, subdomains, domain aliases, or webmail to the subscription, you can have SSL It! automatically secure them by reissuing the SSL/TLS certificate from Let’s Encrypt. To do so, go to Websites & Domains > your domain > SSL/TLS Certificates and turn on the “Keep websites secured” option.
To get a paid SSL/TLS certificate:
Go to Websites & Domains > your domain > SSL/TLS Certificates.
Find an SSL/TLS certificate you want to buy. To learn more about the certificate (validity period, validation type, and so on), click “Show details”. Once you have made your choice, click Buy Now. Then you will be automatically redirected to Plesk Online Store.
Fill in your address, payment information, and then buy the certificate.
Go back to Plesk (use the Back button in your browser).
Processing the payment takes some time. To update the payment status, click Reload. Plesk automatically updates the payment status once per hour.
Once the payment has been processed, click Fill In Required Data.
Fill in the required contact information and then click OK.
Plesk now automatically creates a certificate signing request (CSR) and then receives and installs the SSL/TLS certificate. It may take some time depending on the type of the SSL/TLS certificate. You can update the SSL/TLS certificate status manually clicking Reload or you can just wait until Plesk does it automatically (Plesk checks the SSL/TLS certificate status once per hour).
Note
Certain types of SSL/TLS certificates (for example, EV) require additional actions on your part. You may need to answer a phone call or an email and also submit necessary documents so that the CA could validate your application.
Once the SSL/TLS certificate is installed, the Websites & Domains > your domain > SSL/TLS Certificates screen will show the information about the installed SSL/TLS certificate (name, certificate authority, email address, and so on), secured components, and other options (“Redirect from http to https”, “HSTS”, and so on).
Uploading SSL/TLS certificates¶
You may want to upload an SSL/TLS certificate if:
- You already have one that you want to use to secure your domain.
- You want to install a certificate you cannot get via SSL It!.
To upload an SSL/TLS certificate:
Go to Websites & Domains > your domain > SSL/TLS Certificates and then click Upload.
Locate the
.pem
file of the SSL/TLS certificate you want to upload and then click Open.
The SSL/TLS certificate will be automatically installed on the domain.
Renewing installed SSL/TLS certificates¶
To make sure that your website is continuously secured, you need to timely renew the installed SSL/TLS certificate. The SSL It! extension can help you with that.
SSL It! automatically renews free SSL/TLS certificates from Let’s Encrypt and DigiCert 30 days in advance of their expiration.
SSL It! cannot automatically renew paid SSL/TLS certificates. However, you can:
- Reissue them manually.
- Have SSL It! automatically replace expired SSL/TLS certificates with free ones from Let’s Encrypt.
To reissue paid SSL/TLS certificates:
Go to Websites & Domains > your domain secured with a paid SSL/TLS certificate that is going to expire > SSL/TLS Certificates.
Click Reissue Certificate. Then you will be automatically redirected to Plesk Online Store.
Fill in your address, payment information, and then buy the certificate.
Go back to Plesk (use the Back button in your browser).
Processing the payment takes some time. To update the payment status, click Reload. Plesk automatically updates the payment status once per hour.
Once the payment has been processed, click Fill In Required Data.
Fill in the required contact information and then click OK.
Plesk now automatically creates a certificate signing request (CSR) and then receives and installs the SSL/TLS certificate. It may take some time depending on the type of the SSL/TLS certificate. You can update the SSL/TLS certificate status manually clicking Reload or you can just wait until Plesk does it automatically (Plesk checks the SSL/TLS certificate status once per hour).
To automatically replace paid expired SSL/TLS certificates with free ones from Let’s Encrypt:
- Go to Websites & Domains > your domain secured with a paid SSL/TLS certificate that is going to expire > SSL/TLS Certificates.
- Turn on “Keep websites secured”.
Now when your paid SSL/TLS certificate expires, SSL It! automatically issues a free SSL/TLS certificate from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. It should happen no later than one hour after the SSL/TLS certificate expires.
Unassigning SSL/TLS certificates¶
- Go to Websites & Domains > your domain whose SSL/TLS certificate you want to unassign > SSL/TLS Certificates.
- Click Unassign Certificate and then click OK.
Enhancing security of your websites and encrypted server connections¶
Merely securing a website with a valid SSL/TLS certificate from a trusted CA is not enough to get all-round protection. SSL is a complex technology, which has a number of features (key encryption algorithm, secure ciphers, HSTS, and much more) that can do the following:
- Enhance the security of your website’s visitors.
- Improve your website performance.
- Harden the security of all server’s encrypted connections
Enabling these features can improve your websites’ search engine rankings:
- “Redirect from http to https” sets up a permanent, SEO-safe 301 redirect from the insecure HTTP to the secure HTTPS version of the website and/or webmail.
- HSTS prohibits web browsers from accessing the website via insecure HTTP connections.
- OSCP makes the web server request the status of the website’s certificate (can be good, revoked, or unknown) from the CA instead of the visitor’s browser.
- TLS versions and ciphers by Mozilla harden connections secured with SSL/TLS certificates (website, mail, Plesk, and so on).
Caution
Before turning these features on, ensure that your website can be accessed via HTTPS without any issues. Otherwise, visitors may have trouble accessing your website.
Note
If you have already set up HSTS or OCSP stapling in your web server manually, delete these customizations before turning on HSTS or OCSP stapling in SSL It!.
To enhance the security of your websites and encrypted server connections:
Secure your website with a valid SSL/TLS certificate from a trusted CA.
Go to Websites & Domains > your domain > SSL/TLS Certificates.
If you have upgraded to Plesk Obsidian from earlier Plesk versions, turn on “Redirect from http to https”. The redirect will be also applied for webmail by default. On clean Plesk Obsidian installations, the redirect for the domain and webmail is already turned on by default.
Note
If your webmail is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the “Include webmail” checkbox.
Enable HSTS:
Turn on HSTS.
Make sure that an SSL/TLS certificate that secures your website will be valid during the “Max-age” period. Do the same for subdomains and the webmail subdomain. Otherwise, if the SSL/TLS certificate expires earlier than the “Max-age” period and HSTS is turned on, visitors will not be able to access your website.
If your subdomains are not secured with valid SSL/TLS certificates or you do not have any subdomains, clear the “Include subdomains” checkbox.
If your webmail subdomain is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the “Include webmail” checkbox.
Click Enable HSTS.
Note
If your SSL/TLS certificate expires earlier than the “Max-age” period but you still want to use HSTS, we recommend that you turn on “Keep websites secured”. Then when the SSL/TLS certificate expires, SSL It! will automatically issue a free one from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. The website will be continuously secured and HSTS will continue working.
Turn on “OCSP Stapling”.
Enable TLS versions and ciphers by Mozilla:
- Go to Extensions > the “My Extensions tab” > click Open next to SSL It!.
- Turn on “TLS versions and ciphers by Mozilla”, keep “Intermediate (recommended)”, and then click Enable & Sync.
- To stay current, click “Sync now” once every few months.
Once you have hardened the SSL security of your website and your server, you can evaluate the SSL security of your website.
Known issues and limitations¶
- OCSP stapling works only for websites served by nginx with Apache or solely nginx. If your websites are served by Apache only, you do not need to turn on “OCSP Stapling”.
- OCSP stapling may not work for SSL/TLS certificates from certain vendors (for example, free certificates from DigiCert) if the complete trust chain is not in place. To check if your certificate supports OCSP stapling, run the SSL Labs test on your SSL configuration.
- Automatic sync of TLS versions and ciphers by Mozilla is currently not supported.
Evaluating the SSL security of your website¶
Popular search engines (for example, Google) rank websites with better SSL protection higher. In the SSL It! extension, you can run one of the most popular testing service, Qualys SSL Labs, to do the following:
- Check how good the SSL protection of your website is.
- See what can be improved.
- Get A+, the highest possible score (after hardening SSL protection if necessary).
To evaluate the SSL security of your website:
- Go to Websites & Domains > your domain > SSL/TLS Certificates.
- Click “Run SSL Labs Test”.
The Qualys SSL Labs website will be opened in a new tab and the test will be automatically started. Wait until the test is finished to receive your grade. This may take up to several minutes.
If you secured your website with a valid SSL/TLS certificate from a trusted CA, and you turned on all security-enhancing features provided by SSL It!, you are most likely to get the A+ score.
Customizing the list of SSL/TLS certificates offered by SSL It!¶
By default, when you want to secure a domain with an SSL/TLS certificate and go to SSL It!, you see four SSL/TLS certificates from various CAs available for installation. But there are more.
SSL It! has a list of SSL/TLS certificates available for installation. You can choose which of them will be visible in the SSL It! interface for you, your customers, and resellers.
To customize the list of SSL/TLS certificates available for installation in SSL It!:
Connect to the Plesk server via SSH and run the following command to get the full list of available SSL/TLS certificates:
plesk ext sslit --product –list
Copy composite vendor & product IDs (in the third column) of those SSL/TLS certificates that you want to be shown in the SSL It! interface.
Add an entry to the
panel.ini
file according to the following pattern:[ext-sslit] filteredProducts = composite vendor & product ID1,composite vendor & product ID2,
For example, if you want SSL It! to show only two SSL/TLS certificates from RapidSSL, add the following lines to
panel.ini
:[ext-sslit] filteredProducts = rapid-ssl__rapid-ssl,rapid-ssl__rapid-ssl-wildcard
The SSL It! interface will then look like the following when a domain is not secured by any certificate:
Note
If you are a vendor of SSL/TLS certificates and you want them to be integrated and sold in SSL It!, contact us by the email: extension@plesk.com. We will tell you how to get started with writing your own extension to integrate the SSL/TLS certificates and guide you until they will be available for purchase in SSL It!.