观看视频教程

The SSL It! extension offers a single interface for keeping your websites secured with SSL/TLS certificates from the trusted certificate authorities (CAs) Let’s Encrypt and DigiCert (Symantec, GeoTrust, and RapidSSL brands) or with any other SSL/TLS certificate of your choice. Using the extension, you can also do the following:

  • 通过从 HTTP 重定向到 HTTPS 增强网站访客的安全度。
  • 通过禁止 web 浏览器访问使用 HTTP 不安全连接的网站来保护网站访客。
  • 使用 OCSP 装订保护网站访客的隐私并提高网站性能。
  • 让使用 SSL/TLS 证书加密的连接在使用 Mozilla 生成的协议和密码时更安全。

开始使用 SSL It!

Take into account the following:

  • The SSL It! extension is installed by default.
  • 若要利用所有的 SSL It! 功能,请确保还安装了最新版的 DigiCert SSL 和 Let’s Encrypt 扩展。

To manage an SSL/TLS certificate of a domain, go to Websites & Domains > your domain. You can see the current security status of the domain under “SSL/TLS Certificates”:

image status

使用 SSL/TLS 证书保护网站的安全

With the SSL It! extension, you can secure websites with free and paid SSL/TLS certificates (at the moment they are from DigiCert only) and also with SSL/TLS certificates you already own.

若要使用 Let’s Encrypt 免费的 SSL/TLS 证书保护网站的安全,请如下操作:

  1. 转到 网站与域名 > 您的域名 > SSL/TLS 证书

  2. Under “More options”, click Install:

    image install_button

  3. 指定将用于紧急通知和丢失密钥恢复的电子邮件地址。

  4. 选择除了主域名之外还需保护的域名:

    • Secure the main domain name. Secure only the main domain. If you want to secure only the webmail, you can clear the checkbox.
    • Secure the wildcard domain (including www and webmail). Secure the www subdomain and/or domain aliases, and the webmail.
    • Include a “www” subdomain for the domain and each selected alias. Secure the www subdomain and/or domain aliases.
    • Secure webmail on this domain. Secure the webmail.
    • Assign the certificate to mail domain. Secure the mail with the IMAP, POP, or SMTP protocol. If you have the www subdomain and/or domain aliases, select the Include a “www” subdomain for the domain and each selected alias checkbox.
  5. 点击 免费获取

将会签发一个 Let’s Encrypt 的 SSL/TLS 证书并自动安装。

注解: If you secure a domain with an SSL/TLS certificate from Let’s Encrypt and then add new domains, subdomains, domain aliases, or webmail to the subscription, you can have SSL It! automatically secure them by reissuing the SSL/TLS certificate from Let’s Encrypt. To do so, go to Websites & Domains > your domain > SSL/TLS Certificates and turn on the Keep websites secured option.

若要获取付费的 SSL/TLS 证书,请如下操作:

  1. 转到 网站与域名 > 您的域名 > SSL/TLS 证书

  2. To get the list of available certificates, click Get Certificates:

    image Get_Certificates_Button

  3. Select the SSL/TLS certificate you want to buy and click the Buy button in the certificate’s form. .. note:

    To find an appropriate certificate, you can do the following:
    
    -   Filter the available certificates. You can apply the **Recommended**, **Wildcard**, and
        **For organization use** filter sets.
    -   Read more about a certificate (its validity period, validation type, and so on) by
        clicking the **Learn more** button in the certificate’s form.
    
  4. In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.

  5. Сlose the pop-up window.

  6. Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.

    image waiting payment

  7. 付款处理后,点击 填写必填数据

    image payment received

  8. Fill in the required contact information, and then click OK.

Plesk 现在即自动创建证书签名请求 (CSR) 然后接收和安装 SSL/TLS 证书。根据不同类型的 SSL/TLS 证书,可能需要一定时间。您可以点击 重新加载 手动更新 SSL/TLS 证书状态或等候 Plesk 自动将其更新(Plesk 会每小时检查 SSL/TLS 证书状态一次)。

注解: 某些类型的 SSL/TLS 证书(例如 EV)需要您额外执行一些操作。您可能需要接听电话或回复电子邮件,同时还需提交必要的文件,这样 CA 才可以验证您的应用程序。

SSL/TLS 证书安装好后,网站与域名 > 您的域名 > SSL/TLS 证书 屏幕将会显示有关已安装的 SSL/TLS 证书(名称、证书机构、电子邮件地址,等等)、已安全保护的组件和其它选项(”从 http 重定向到 https”、”HSTS”,等等)的信息。

Securing Websites via CLI

You can also secure websites with wildcard SSL/TLS certificates via the CLI. Execute the following CLI commands:

plesk ext sslit --certificate -issue -domain <domain_name> -registrationEmail <email> -secure-domain -wildcard

and then

plesk ext sslit --certificate -issue <domain_name> -registrationEmail <email> -continue

The first command creates a wildcard certificate order, while the second one completes the order and issues the certificate.

上传 SSL/TLS 证书

You may want to upload an SSL/TLS certificate in the following cases:

  • You already have a certificate that you want to use to secure your domain.
  • 您想要安装无法通过 SSL It! 获取的证书。

若要上传 SSL/TLS 证书,请如下操作:

  1. 转到 网站与域名 > 您的域名 > SSL/TLS 证书 然后点击 上传

    image upload

  2. 找到您要上传的 SSL/TLS 证书的 .pem 文件然后点击 打开

SSL/TLS 证书将自动在域名上安装。

续订更新已安装的 SSL/TLS 证书

为了您的网站能够得到持续有效的安全保护,您需要按时续订更新已安装的 SSL/TLS 证书。SSL It! 扩展会帮助您实现此目的。

SSL It! 会在证书到期前 30 天自动续订更新 Let’s Encrypt 和 DigiCert 免费的 SSL/TLS 证书。

image renew

SSL It! cannot automatically renew paid SSL/TLS certificates. However, you can do the following:

  • 手动重新签发这些证书。
  • 让 SSL It! 使用 Let’s Encrypt 免费的证书自动替换已到期的 SSL/TLS 证书。

若要重新签发付费的 SSL/TLS 证书,请如下操作:

  1. 转到 网站与域名 > 使用快要到期的付费 SSL/TLS 证书保护安全的域名 > SSL/TLS 证书

  2. 点击 重新签发证书。然后会自动将您重定向到 Plesk 在线商店。

  3. In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.

  4. Сlose the pop-up window.

  5. Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.

    image waiting payment

  6. 付款处理后,点击 填写必填数据

    image payment received

  7. Fill in the required contact information, and then click OK.

Plesk 现在即自动创建证书签名请求 (CSR) 然后接收和安装 SSL/TLS 证书。根据不同类型的 SSL/TLS 证书,可能需要一定时间。您可以点击 重新加载 手动更新 SSL/TLS 证书状态或等候 Plesk 自动将其更新(Plesk 会每小时检查 SSL/TLS 证书状态一次)。

若要使用 Let’s Encrypt 免费的证书自动替换已到期的付费 SSL/TLS 证书,请如下操作:

  1. 转到 网站与域名 > 使用快要到期的付费 SSL/TLS 证书保护安全的域名 > SSL/TLS 证书
  2. Turn on Keep websites secured.

Now when your paid SSL/TLS certificate expires, SSL It! automatically issues a free SSL/TLS certificate from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. It usually happens no later than one hour after the SSL/TLS certificate expires.

取消分配 SSL/TLS 证书

  1. 转到 网站与域名 > 您想要取消分配 SSL/TLS 证书的域名 > SSL/TLS 证书
  2. Click Unassign Certificate, and then click OK.

增强网站和已加密服务器连接的安全性

仅仅使用来自可信 CA 的有效 SSL 证书保护网站的安全不足以获得全面的保护。SSL 是一种复杂的技术,有很多功能(密钥加密算法、安全密码、HSTS,等等),这些功能可以:

  • 增强网站访客的安全性。
  • 提高网站性能。
  • 强化所有服务器加密连接的安全性

启用这些功能可以提高网站的搜索引擎排名:

  • Redirect from http to https sets up a permanent, SEO-safe 301 redirect from the insecure HTTP to the secure HTTPS version of the website and/or webmail.
  • HSTS prohibits web browsers from accessing the website via insecure HTTP connections.
  • OSCP makes the web server request the status of the website’s certificate (can be good, revoked, or unknown) from the CA instead of the visitor’s browser.
  • TLS versions and ciphers by Mozilla harden connections secured with SSL/TLS certificates (website, mail, Plesk, and so on).

警告: Before turning these features on, make sure that your website can be accessed via HTTPS without any issues. Otherwise, visitors may have trouble accessing your website.

注解: 如果您已手动在您的 web 服务器中设置了 HSTS 或 OCSP 装订,请在 SSL It!.中打开 HSTS or OCSP 装订之前删除这些自定义设置。

若要增强网站和已加密服务器连接的安全性,请如下操作:

  1. 使用可信 CA 的有效 SSL/TLS 证书保护网站的安全。

  2. 转到 网站与域名 > 您的域名 > SSL/TLS 证书

  3. If you have upgraded to Plesk Obsidian from earlier Plesk versions, turn on Redirect from http to https. The redirect will be also applied for webmail by default. On clean Plesk Obsidian installations, the redirect for the domain and webmail is already turned on by default.

    注解: If your webmail is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the Include webmail checkbox.

  4. Enable HSTS.

    注解: If your SSL/TLS certificate expires earlier than the Max-age period but you still want to use HSTS, we recommend that you turn on “Keep websites secured”. Then when the SSL/TLS certificate expires, SSL It! will automatically issue a free one from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. The website will be continuously secured and HSTS will continue working.

  5. Turn on OCSP Stapling.

  6. Enable TLS versions and ciphers by Mozilla.

一旦强化了网站和服务器的 SSL 安全性,即可评估网站的 SSL 安全性。

注解: You can also enable HSTS via the CLI. For example, to enable HSTS for the domain example.com that has already been secured with an SSL/TLS certificate, run the following command:

plesk ext sslit --hsts -enable -domain example.com

To see details on using SSL It! via the CLI, run the plesk ext sslit --help command.

Enabling HSTS

  1. 打开 HSTS。
  2. Make sure that the SSL/TLS certificate that secures your website will be valid during the Max-age period. Do the same for subdomains and the webmail subdomain.

警告: If the SSL/TLS certificate expires earlier than the Max-age period and HSTS is turned on, visitors won’t be able to access your website.

  1. If your subdomains are not secured with valid SSL/TLS certificates or you do not have any subdomains, clear the Include subdomains checkbox.
  2. If your webmail subdomain is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the Include webmail checkbox.
  3. 点击 启用 HSTS

Enabling TLS Versions and Сiphers by Mozilla

  1. Go to Extensions > the My Extensions tab > click Open next to SSL It!
  2. Under TLS versions and ciphers by Mozilla, turn on the toggle.
  3. Keep Intermediate (recommended), and then click Enable & Sync.
  4. To stay current, click Sync now once every few months.

已知问题和局限性

  • OCSP 装订只适用于由 nginx 和 Apache 服务或 nginx 单独服务的网站。如果您的网站只由 Apache 服务,则不需要开启 “OCSP 装订”。
  • 如果完整的信任链未就位,OCSP 装订可能无法用于某些供应商的 SSL/TLS 证书(例如 DigiCert 的免费证书)。若要检查您的证书是否支持 OCSP 装订,请在您的 SSL 配置上运行 SSL Labs 测试。
  • 目前还不支持自动同步 Mozilla 提供的 TLS 版本和密码。

评估网站的 SSL 的安全性

流行的搜索引擎(例如 Google)会给有更好 SSL 保护的网站更高排名。在 SSL It! 扩展中,您可以运行最流行的测试服务,Qualys SSL Labs,以实现:

  • 检查您网站的 SSL 保护有多好。
  • 查看哪些可以提升。
  • 获得 A+,最高评分(必要时强化 SSL 保护后)。

若要评估网站的 SSL 的安全性,请如下操作:

  1. 转到 网站与域名 > 您的域名 > SSL/TLS 证书
  2. Click Run SSL Labs Test.

将在新的标签中打开 Qualys SSL Labs 网站,然后自动开始测试。等测试结束后即可获得您的评分。这可能需要几分钟的时间。

如果您使用可信 CA 的有效 SSL/TLS 证书保护网站的安全,且打开了 SSL It! 提供的所有安全增强功能,最有可能得到 A+ 的评分。

自定义 SSL It! 提供的 SSL/TLS 证书列表

默认情况下,当您想要使用 SSL/TLS 证书保护域名且要转到 SSL It! 时,您会看到来自不同 CA 的四个 SSL/TLS 证书可供安装。但还有更多。

SSL It! 有一系列 SSL/TLS 证书可供安装。可以选择您、您的客户和代理商将在 SSL It! 界面中可见的证书。您可以在 SSL It! 界面或通过 CLI 实现此目的。

Customize the list of SSL/TLS certificates available for installation in SSL It! via the SSL It! interface:

  1. Go to Extensions > My Extensions tab > click Open next to SSL It!.
  2. Next to SSL/TLS Certificates, click Configure.
  3. Select the desired SSL/TLS certificates, and then click Save.

您的客户、代理商和您自己将只能在 SSL It! 界面中看到选定的证书。

Customize the list of SSL/TLS certificates available for installation in SSL It! via the CLI:

  1. Connect to the Plesk server via SSH.

  2. Get the full list of available SSL/TLS certificates by running the following command:

    plesk ext sslit --product -list
    
  3. 复制您要添加到列表或从列表移除的 SSL/TLS 证书的供应商和产品 ID。

    image product list

  4. 若要自定义 SSL/TLS 证书列表,可使用以下模式的 CLI 命令:

    • 若要将 SSL/TLS 证书添加到列表,请如下操作:

      plesk ext sslit --product -add -vendor <vendor-ID> -product <product-ID>
      
    • 若要从列表移除 SSL/TLS 证书,请如下操作:

      plesk ext sslit --product -remove -vendor <vendor-ID> -product <product-ID>
      
    • 若要将 SSL/TLS 证书列表重设为默认证书列表,请如下操作:

      plesk ext sslit --product -reset-to-defaults
      

    例如,如果您想要将 ssl-web-server-ev 证书从 Thawte 添加到列表,可运行以下命令:

    plesk ext sslit --product -add -vendor symantec.thawte -product ssl-web-server-ev
    
  5. 多次重复上述命令,直到您获取了所需的可用 SSL/TLS 证书列表。

注解: If you are a vendor of SSL/TLS certificates and you want them to be integrated and sold in SSL It!, contact us by the email: plesk-extensions@plesk.com. We will tell you how to get started with writing your own extension to integrate the SSL/TLS certificates and guide you until they will be available for purchase in SSL It!.

SSL It! enhanced probability of certificates’ issue

SSL It! has a default feature that significantly decreases a number of cases when Let’s Encrypt SSL/TLS certificates cannot be issued because of incompatible domain configurations.

When you get an SSL/TLS certificate from Let’s Encrypt, its servers need to validate that you control the domain names in the certificate. To do so, Let’s Encrypt uses so-called “challenges”: Let’s Encrypt gives a token file that Plesk places to http://<your_domain>/.well-known/acme-challenge/<token>. We call this directory the common challenge directory. The certificate issue will fail if this directory is not accessible. It may happen because of the following configurations:

When installed, SSL It! ensures that the common challenge directory is supported and accessible even if certain incompatible configurations are detected. The feature “common challenge directory support” is enabled by default in Plesk for Linux and Windows.

If necessary, you can turn off the feature via the CLI by running the following command:

plesk ext sslit --common-challenge-dir –disable.

However, we recommend that you keep the common challenge directory support on.

If you have updated to SSL It! 1.4.0 from earlier versions, the common challenge directory support will be turned on automatically unless the use-common-challenge-dir setting was disabled in panel.ini. If the option was disabled, you need to turn on the support manually by running the following command:

plesk ext sslit --common-challenge-dir –enable.

Starting with SSL It! 1.4.0 the use-common-challenge-dir setting is deprecated.