Securing Websites With SSL/TLS Certificates Automatically Using ACME Protocol
Résumé
Securing your website with an SSL/TLS certificate is practically a given in today’s world. However, certificates must be regularly reissued and reinstalled to remain valid and continue providing their benefits. Doing so by hand is a chore, doubly so with certificates with shorter maximum lifetimes, and/or when one has to keep a large number of websites secured.
The solution to this issue is the ACME protocol. It is a mechanism that reissues and reinstalls SSL/TLS certificates automatically, lifting the burden from the administrators and website owners, and also ensuring that the certificate coverage does not lapse. In Plesk, the support for the ACME protocol is implemented via the free ACME SSL extension.
In this topic, you will learn how to secure hosted websites using the ACME SSL extension.
Vue d’ensemble
Encrypting the connections to and from the hosted websites via an SSL/TLS certificate has a number of benefits, such as:
Protecting private information transferred to and from the website.
Verifying the website’s legitimacy and increasing the visitors” trust.
Ensuring that the website is positioned higher in search engine results.
However, to enjoy those benefits, the certificate must be reissued regularly. An expired certificate loses much of its value to the website it secures. Keeping the certificates up to date has traditionally required manual actions (contacting the certificate authority to have a certificate reissued, then reinstalling it manually), which both created extra load on the website owner or administrator, and required keeping an eye out for the expiration date.
The solution to this problem is the ACME protocol. It is a mechanism for automating both the « reissuing » and the « reinstalling » parts of the process. This mechanism is being adopted by the industry, and is supported by most leading certificate authorities.
In Plesk, the support for ACME protocol has already been available for some time for SSL/TLS certificates from Let’s Encrypt. The ACME SSL extension expands this support to all certificate authorities that support the ACME protocol. The extension offers both a graphic user interface integrated into the SSL It! extension in Plesk, and a CLI for integrating/automating the process of securing hosted websites using the ACME protocol.
There are no restrictions on the types of certificates the extension can issue and reissue automatically - the availability of certain certificate types depends on the certificate authority in question.
The extension supports both HTTP‑01 and DNS‑01 challenge types. In the latter case, it works fine both when using the Plesk DNS server, or an external DNS service, such as Amazon Route 53 or DigitalOcean DNS), as long as the integration between Plesk and the external DNS service is set up properly (that is, the external DNS service picks up and acts on the DNS changes made in Plesk).
Prérequis
Before you can secure a hosted website using the ACME protocol, the following prerequisites must be met:
The SSL It! extension and the ACME SSL extension must be installed from the Extensions Catalog.
You must obtain the ACME directory URL from the chosen certificate authority.
(Optional) You must also obtain the External Account Binding (EAB for short) Key ID and HMAC Key from the certificate authority if it requires ACME EAB (not every certificate authority may require ACME EAB).
Securing a Website Using ACME Protocol via the GUI
This approach is suitable when securing individual websites.
To secure a website using the ACME protocol via the GUI:
In the navigation pane, click Websites & Domains, and then locate the website you want to secure.
On the « Dashboard » tab, click SSL/TLS Certificates.
Scroll to the bottom of the page, and then, under « Request a certificate from a chosen ACME certificate authority », click Request.
Enter the ACME directory URL you received from from the chosen certificate authority.
(Optional) If required by the certificate authority, enter the EAB Key ID and the EAB HMAC Key.
Select the desired options, such whether to request a wildcard certificate, or whether to secure mail and/or webmail using the same certificate. By default, the « Secure the domain name » option, which only secures the website itself, is preselected.
Once you have selected all desired options, click Request.
Securing a Website Using ACME Protocol via the CLI
The CLI command can be called during the execution of a shell script. This approach is suitable when securing a large number of websites at once, or when automating the securing of newly created websites.
To secure a website using the ACME protocol via the CLI:
Log in to the Plesk server via SSH as the root user, or via RDP as the administrator. You can also use the SSH Terminal extension.
-
Enter the following command in the shell:
plesk ext sslit --certificate -issue -domain <FQDN of the website being secured>
-
Append one or more desired options, such as whether to request a wildcard certificate, or whether to secure mail and/or webmail using the same certificate. To only secure the website itself, specify « -secure-domain »:
[-secure-domain -secure-www -secure-webmail -secure-mail -aliases -wildcard]
-
Append the ACME directory URL you received from from the chosen certificate authority:
-directory-url <ACME directory URL>
-
(Optional) If required by the certificate authority, append the EAB Key ID and the EAB HMAC Key:
-kid <Key ID> -hmac <HMAC Key>
Run the command.
Here is what such a command may look like:
plesk ext sslit --certificate -issue -domain example.com -secure-domain -wildcard -directory-url https://acme-v02.api.letsencrypt.org/directory
Restricting Access to ACME Protocol
It is possible to remove the ability to secure websites using the ACME protocol via the GUI from customer and reseller accounts. If you do, the « Request a certificate from a chosen ACME certificate authority » section on the « SSL/TLS Certificate » pages of hosted websites will only be shown to administrators, even if the ACME SSL extension is installed.
To restrict access to ACME protocol via the GUI to administrators only:
-
Ouvrez le fichier panel.ini pour le modifier. Ce fichier est disponible ici :
(Plesk pour Linux)
/usr/local/psa/admin/conf/panel.ini(Plesk pour Windows)
%plesk_dir%admin\conf\panel.ini
Vous pouvez également modifier le fichier depuis l’interface de Plesk à l’aide de l’extension Panel.ini Editor.
-
Add the following lines to the file:
[ext-sslit] acmeExtensionIsAdminOnly = true
Once the change has been made, users logged in to the Plesk interface under a customer or a reseller account will no longer be shown the « Request a certificate from a chosen ACME certificate authority » section on their hosted domains” « SSL/TLS Certificate » pages.