Latest LE Extension, Plesk and OCSP

Older versions of LE extension, I was able to use the following. However, with new LE Extension, it seems the locations of the fullchain.pem and privkey.pem files are not there any longer. Where can I find this location now?

Nginx additional directives… pre latest LE extension.

ssl_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/fullchain.pem;
ssl_certificate_key /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;

hi @amavarick

You are best to contact Plesk directly or via their github page

Andrei

1 Like

My specific question is where letsencrypt stores the full certificate for each domain on plesk. I would think that would be determined on the extension rather than plesk itself?

hi @amavarick

the is how the Plesk Extension used to work

A) LetsEncrypt is installed
B) There is a wrapper for LetsEncrypt Written By Plesk https://github.com/plesk/letsencrypt-plesk

The wrapper uses Certbot libraries to do most of the validation work etc however it controls how the certificates are stored and deployed

Hence: you should either review the code or ask the writers of the code how it works

Andrei

1 Like

hi @amavarick

I can also see from the release notes that certbot is no longer used. They seemed to have moved to a PHP based client which may not store the certs at all.

2.0.1 (28 March 2017)

[-] Let's Encrypt certificates could not be issued if no list of trusted root CAs could be found on the server. (EXTLETSENC-82)

2.0.0 (23 March 2017)

[+] Domain aliases support added
[+] IDN domains support
[*] Granular and reliable renew process: the extension now performs a daily check for certificates which are about to expire and renews them not earlier than 30 days before their expiration
**[*] Replaced Python-based certbot with PHP-based client**
[-] Fixed installation issues with python dependencies when 3rd-parties upgrade breaks compatibility
[-] Fixed python-related issues (virtualenv and so on) on Windows
1 Like

hi @amavarick

/usr/local/psa/var/certificates/cert-[7-random-characters seems to be the directory

May be a good conversation to follow

Andrie

I posted a request with Lets Encrypt on github for them to re-add the certificate directory.

/usr/local/psa/var/modules/letsencrypt/etc/live/yourdomain.tld/

Update Let’s Encrypt Extension 2.0.2 Release 29 came out today. Update the extension and then RENEW your certificates. New certificates will be populated there.

1 Like

I created a ticket with Plesk. Even though LE fixed their extension to re-add the directory…

/usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/

Based on response from Plesk support, The directory above is NOT needed to enable OCSP with Plesk if you have certificates setup for your domain. I ensured LE certificates were installed using the LE Extension and added the following commands under nginx additional directives:

#Enable OCSP
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

I applied and then tested with ssllabs. It worked. You may need to run the test 2x.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.