I’ve the Let’s Encrypt plugin installed in Plesk 12.5. Made the cert installing via this plugin.
Everything is set up as described in different sources, also from information available on this forum, but the OCSP stapling is doubt that working correct or not.
When I test the installed cert via Qualys SSL Labs, then I get A+ rating and saying that OCSP Stapling: YES
When I test on my server with openssl command, then I get this response: OCSP response: no response sent
So, is it working now, or not?
Qualys SSL labs also inform me, that Chain issues Incorrect order, Extra certs
What is the right order in Plesk to add the cert files? I’m using the following in Plesk at the “Additional nginx directives”:
In nginx (and to be fair, in other popular servers too) the stapling support is a bit, well I’d call it half-arsed.
When nginx first spins up a web server process, it doesn’t have the stapled OCSP response to hand, so by default it just doesn’t provide it. This can result in some tools saying there’s no OCSP stapling, because when they tried, there wasn’t. If you want you could try, ignore the result, wait a few minutes, then try again and see if it’s better?
Anyway, probably if SSL Labs says it’s working, it’s working as well as can be in nginx for now. Hopefully as stapling gets more popular we’ll see nginx getting a bit better at this.
Now, the chain issues are more surprising. The fullchain.pem prepared by Let’s Encrypt is usually perfectly good and wouldn’t attract a complaint from Qualys’ tools. The SSL Labs page does give a bit more info but I appreciate it can be hard to interpret, maybe you could paste the part where it lists certificates it saw ? If you worry particularly you could blur out your own site’s name anywhere that appears although please do remember certificates are public documents, they’re not secrets, and it’s not as though asking for advice about security is a shameful thing to be doing.
Seems ok to me but you should remove ssl_trusted_certificate directive just because your server doesn't need it, you already have it specified in ssl_certificate directive where you are adding the fullchain.pem.
For the OCSP stapling to work, the certificate of the server certificate issuer should be known. If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.
As I said, as you are already using fullchain.pem which contains the intermediate cert, there is no need to use ssl_trusted_certificate for OCSP stapling.