Latest LE Extension, Plesk and OCSP


#1

Older versions of LE extension, I was able to use the following. However, with new LE Extension, it seems the locations of the fullchain.pem and privkey.pem files are not there any longer. Where can I find this location now?

Nginx additional directives… pre latest LE extension.

ssl_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/fullchain.pem;
ssl_certificate_key /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;


PLESK 17 (ONYX) + LetsEncrypt | Where are my PEMs?
#2

hi @amavarick

You are best to contact Plesk directly or via their github page

Andrei


#3

My specific question is where letsencrypt stores the full certificate for each domain on plesk. I would think that would be determined on the extension rather than plesk itself?


#4

hi @amavarick

the is how the Plesk Extension used to work

A) LetsEncrypt is installed
B) There is a wrapper for LetsEncrypt Written By Plesk https://github.com/plesk/letsencrypt-plesk

The wrapper uses Certbot libraries to do most of the validation work etc however it controls how the certificates are stored and deployed

Hence: you should either review the code or ask the writers of the code how it works

Andrei


#5

hi @amavarick

I can also see from the release notes that certbot is no longer used. They seemed to have moved to a PHP based client which may not store the certs at all.

2.0.1 (28 March 2017)

[-] Let's Encrypt certificates could not be issued if no list of trusted root CAs could be found on the server. (EXTLETSENC-82)

2.0.0 (23 March 2017)

[+] Domain aliases support added
[+] IDN domains support
[*] Granular and reliable renew process: the extension now performs a daily check for certificates which are about to expire and renews them not earlier than 30 days before their expiration
**[*] Replaced Python-based certbot with PHP-based client**
[-] Fixed installation issues with python dependencies when 3rd-parties upgrade breaks compatibility
[-] Fixed python-related issues (virtualenv and so on) on Windows

#6

hi @amavarick

/usr/local/psa/var/certificates/cert-[7-random-characters seems to be the directory

May be a good conversation to follow

Andrie


#7

I posted a request with Lets Encrypt on github for them to re-add the certificate directory.

/usr/local/psa/var/modules/letsencrypt/etc/live/yourdomain.tld/

Update Let’s Encrypt Extension 2.0.2 Release 29 came out today. Update the extension and then RENEW your certificates. New certificates will be populated there.


#8

I created a ticket with Plesk. Even though LE fixed their extension to re-add the directory…

/usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/

Based on response from Plesk support, The directory above is NOT needed to enable OCSP with Plesk if you have certificates setup for your domain. I ensured LE certificates were installed using the LE Extension and added the following commands under nginx additional directives:

#Enable OCSP
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

I applied and then tested with ssllabs. It worked. You may need to run the test 2x.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.