觀看視頻教程

The SSL It! extension offers a single interface for keeping your websites secured with SSL/TLS certificates from the trusted certificate authorities (CAs) Let’s Encrypt and DigiCert (Symantec, GeoTrust, and RapidSSL brands) or with any other SSL/TLS certificate of your choice. Using the extension, you can also do the following:

  • 通過從 HTTP 重定向到 HTTPS 增強網站訪客的安全度。
  • 通過禁止 web 瀏覽器存取使用 HTTP 不安全連接的網站來保護網站訪客。
  • 使用 OCSP 裝訂保護網站訪客的隱私並提高網站性能。
  • 讓使用 SSL/TLS 證書加密的連接在使用 Mozilla 生成的協定和密碼時更安全。

開始使用 SSL It!

Take into account the following:

  • The SSL It! extension is installed by default.
  • 若要利用所有的 SSL It! 功能,請確保還安裝了最新版的 DigiCert SSL 和 Let’s Encrypt 擴展。

To manage an SSL/TLS certificate of a domain, go to Websites & Domains > your domain. You can see the current security status of the domain under 「SSL/TLS Certificates」:

image status

使用 SSL/TLS 證書保護網站的安全

With the SSL It! extension, you can secure websites with free and paid SSL/TLS certificates (at the moment they are from DigiCert only) and also with SSL/TLS certificates you already own.

若要使用 Let’s Encrypt 免費的 SSL/TLS 證書保護網站的安全,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書

  2. Under 「More options」, click Install:

    image install_button

  3. 指定將用於緊急通知和丟失金鑰恢復的電郵地址。

  4. 選擇除了主域名之外還需保護的域名:

    • Secure the main domain name. Secure only the main domain. If you want to secure only the webmail, you can clear the checkbox.
    • Secure the wildcard domain (including www and webmail). Secure the www subdomain and/or domain aliases, and the webmail.
    • Include a 「www」 subdomain for the domain and each selected alias. Secure the www subdomain and/or domain aliases.
    • Secure webmail on this domain. Secure the webmail.
    • Assign the certificate to mail domain. Secure the mail with the IMAP, POP, or SMTP protocol. If you have the www subdomain and/or domain aliases, select the Include a 「www」 subdomain for the domain and each selected alias checkbox.
  5. 點按 免費獲取

將會簽發一個 Let’s Encrypt 的 SSL/TLS 證書並自動安裝。

備註: If you secure a domain with an SSL/TLS certificate from Let’s Encrypt and then add new domains, subdomains, domain aliases, or webmail to the subscription, you can have SSL It! automatically secure them by reissuing the SSL/TLS certificate from Let’s Encrypt. To do so, go to Websites & Domains > your domain > SSL/TLS Certificates and turn on the Keep websites secured option.

若要獲取付費的 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書

  2. To get the list of available certificates, click Get Certificates:

    image Get_Certificates_Button

  3. Select the SSL/TLS certificate you want to buy and click the Buy button in the certificate’s form. .. note:

    To find an appropriate certificate, you can do the following:
    
    -   Filter the available certificates. You can apply the **Recommended**, **Wildcard**, and
        **For organization use** filter sets.
    -   Read more about a certificate (its validity period, validation type, and so on) by
        clicking the **Learn more** button in the certificate’s form.
    
  4. In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.

  5. Сlose the pop-up window.

  6. Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.

    image waiting payment

  7. 付款處理後,點按 填寫必填資料

    image payment received

  8. Fill in the required contact information, and then click OK.

Plesk 現在即自動創建證書簽名請求 (CSR) 然後接收和安裝 SSL/TLS 證書。根據不同類型的 SSL/TLS 證書,可能需要一定時間。您可以點按 重新載入 手動更新 SSL/TLS 證書狀態或等候 Plesk 自動將其更新(Plesk 會每小時檢查 SSL/TLS 證書狀態一次)。

備註: 某些類型的 SSL/TLS 證書(例如 EV)需要您額外執行一些操作。您可能需要接聽電話或回復電子郵件,同時還需提交必要的檔,這樣 CA 才可以驗證您的應用程式。

SSL/TLS 證書安裝好後,網站與域名 > 您的域名 > SSL/TLS 證書 螢幕將會顯示有關已安裝的 SSL/TLS 證書(名稱、證書機構、電郵地址,等等)、已安全保護的元件和其它選項(」從 http 重定向到 https」、」HSTS」,等等)的資訊。

Securing Websites via CLI

You can also secure websites with wildcard SSL/TLS certificates via the CLI. Execute the following CLI commands:

plesk ext sslit --certificate -issue -domain <domain_name> -registrationEmail <email> -secure-domain -wildcard

and then

plesk ext sslit --certificate -issue <domain_name> -registrationEmail <email> -continue

The first command creates a wildcard certificate order, while the second one completes the order and issues the certificate.

上傳 SSL/TLS 證書

You may want to upload an SSL/TLS certificate in the following cases:

  • You already have a certificate that you want to use to secure your domain.
  • 您想要安裝無法通過 SSL It! 獲取的證書。

若要上傳 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書 然後點按 上傳

    image upload

  2. 找到您要上傳的 SSL/TLS 證書的 .pem 文件然後點按 打開

SSL/TLS 證書將自動在域名上安裝。

續訂更新已安裝的 SSL/TLS 證書

為了您的網站能夠得到持續有效的安全保護,您需要按時續訂更新已安裝的 SSL/TLS 證書。SSL It! 擴展會幫助您實現此目的。

SSL It! 會在證書到期前 30 天自動續訂更新 Let’s Encrypt 和 DigiCert 免費的 SSL/TLS 證書。

image renew

SSL It! cannot automatically renew paid SSL/TLS certificates. However, you can do the following:

  • 手動重新簽發這些證書。
  • 讓 SSL It! 使用 Let’s Encrypt 免費的證書自動替換已到期的 SSL/TLS 證書。

若要重新簽發付費的 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 使用快要到期的付費 SSL/TLS 證書保護安全的域名 > SSL/TLS 證書

  2. 點按 重新簽發證書。然後會自動將您重定向到 Plesk 線上商店。

  3. In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.

  4. Сlose the pop-up window.

  5. Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.

    image waiting payment

  6. 付款處理後,點按 填寫必填資料

    image payment received

  7. Fill in the required contact information, and then click OK.

Plesk 現在即自動創建證書簽名請求 (CSR) 然後接收和安裝 SSL/TLS 證書。根據不同類型的 SSL/TLS 證書,可能需要一定時間。您可以點按 重新載入 手動更新 SSL/TLS 證書狀態或等候 Plesk 自動將其更新(Plesk 會每小時檢查 SSL/TLS 證書狀態一次)。

若要使用 Let’s Encrypt 免費的證書自動替換已到期的付費 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 使用快要到期的付費 SSL/TLS 證書保護安全的域名 > SSL/TLS 證書
  2. Turn on Keep websites secured.

Now when your paid SSL/TLS certificate expires, SSL It! automatically issues a free SSL/TLS certificate from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. It usually happens no later than one hour after the SSL/TLS certificate expires.

取消分配 SSL/TLS 證書

  1. 轉到 網站與域名 > 您想要取消分配 SSL/TLS 證書的域名 > SSL/TLS 證書
  2. Click Unassign Certificate, and then click OK.

增強網站和已加密伺服器連接的安全性

僅僅使用來自可信 CA 的有效 SSL 證書保護網站的安全不足以獲得全面的保護。SSL 是一種複雜的技術,有很多功能(金鑰加密演算法、安全密碼、HSTS,等等),這些功能可以:

  • 增強網站訪客的安全性。
  • 提高網站性能。
  • 強化所有伺服器加密連接的安全性

啟用這些功能可以提高網站的搜尋引擎排名:

  • Redirect from http to https sets up a permanent, SEO-safe 301 redirect from the insecure HTTP to the secure HTTPS version of the website and/or webmail.
  • HSTS prohibits web browsers from accessing the website via insecure HTTP connections.
  • OSCP makes the web server request the status of the website’s certificate (can be good, revoked, or unknown) from the CA instead of the visitor’s browser.
  • TLS versions and ciphers by Mozilla harden connections secured with SSL/TLS certificates (website, mail, Plesk, and so on).

警示: Before turning these features on, make sure that your website can be accessed via HTTPS without any issues. Otherwise, visitors may have trouble accessing your website.

備註: 如果您已手動在您的 web 伺服器中設定了 HSTS 或 OCSP 裝訂,請在 SSL It!.中打開 HSTS or OCSP 裝訂之前刪除這些自訂設定。

若要增強網站和已加密伺服器連接的安全性,請如下操作:

  1. 使用可信 CA 的有效 SSL/TLS 證書保護網站的安全。

  2. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書

  3. If you have upgraded to Plesk Obsidian from earlier Plesk versions, turn on Redirect from http to https. The redirect will be also applied for webmail by default. On clean Plesk Obsidian installations, the redirect for the domain and webmail is already turned on by default.

    備註: If your webmail is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the Include webmail checkbox.

  4. Enable HSTS.

    備註: If your SSL/TLS certificate expires earlier than the Max-age period but you still want to use HSTS, we recommend that you turn on 「Keep websites secured」. Then when the SSL/TLS certificate expires, SSL It! will automatically issue a free one from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. The website will be continuously secured and HSTS will continue working.

  5. Turn on OCSP Stapling.

  6. Enable TLS versions and ciphers by Mozilla.

一旦強化了網站和伺服器的 SSL 安全性,即可評估網站的 SSL 安全性。

備註: You can also enable HSTS and OCSP via the CLI. For example, to enable HSTS for the domain example.com that has already been secured with an SSL/TLS certificate, run the following command:

plesk ext sslit --hsts -enable -domain example.com -max-age 6months

To enable OCSP for the same domain, run the following command:

plesk ext sslit --ocsp-stapling -enable -domain example.com

To learn more about using SSL It! via the CLI, run the plesk ext sslit --help command.

Enabling HSTS

  1. 打開 HSTS。
  2. Make sure that the SSL/TLS certificate that secures your website will be valid during the Max-age period. Do the same for subdomains and the webmail subdomain.

警告: If the SSL/TLS certificate expires earlier than the Max-age period and HSTS is turned on, visitors won’t be able to access your website.

  1. If your subdomains are not secured with valid SSL/TLS certificates or you do not have any subdomains, clear the Include subdomains checkbox.
  2. If your webmail subdomain is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the Include webmail checkbox.
  3. 點按 啟用 HSTS

Enabling TLS Versions and Сiphers by Mozilla

  1. Go to Extensions > the My Extensions tab > click Open next to SSL It!
  2. Under TLS versions and ciphers by Mozilla, turn on the toggle.
  3. Keep Intermediate (recommended), and then click Enable & Sync.
  4. To stay current, click Sync now once every few months.

已知問題和局限性

  • OCSP 裝訂只適用於由 nginx 和 Apache 服務或 nginx 單獨服務的網站。如果您的網站只由 Apache 服務,則不需要開啟 「OCSP 裝訂」。
  • 如果完整的信任鏈未就位,OCSP 裝訂可能無法用於某些供應商的 SSL/TLS 證書(例如 DigiCert 的免費證書)。若要檢查您的證書是否支援 OCSP 裝訂,請在您的 SSL 配置上運行 SSL Labs 測試。
  • 目前還不支援自動同步 Mozilla 提供的 TLS 版本和密碼。

評估網站的 SSL 的安全性

流行的搜尋引擎(例如 Google)會給有更好 SSL 保護的網站更高排名。在 SSL It! 擴展中,您可以運行最流行的測試服務,Qualys SSL Labs,以實現:

  • 檢查您網站的 SSL 保護有多好。
  • 查看哪些可以提升。
  • 獲得 A+,最高評分(必要時強化 SSL 保護後)。

若要評估網站的 SSL 的安全性,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書
  2. Click Run SSL Labs Test.

將在新的標籤中打開 Qualys SSL Labs 網站,然後自動開始測試。等測試結束後即可獲得您的評分。這可能需要幾分鐘的時間。

如果您使用可信 CA 的有效 SSL/TLS 證書保護網站的安全,且打開了 SSL It! 提供的所有安全增強功能,最有可能得到 A+ 的評分。

自訂 SSL It! 提供的 SSL/TLS 證書列表

SSL It! makes it possible to order SSL/TLS certificates from a variety of vendors. You can choose which of them will be visible in the SSL It! interface for you, your customers, and resellers. This is done by installing (enabling) or removing (disabling) SSL It! plugin extensions that facilitate integration between SSL It! and a specific vendor.

Add the ability to order SSL/TLS certificates from a specific vendor:

  1. Go to Extensions and type the name of the plugin extension corresponding to the desired vendor in the search field.
  2. Install the extension. If the extension is already installed, make sure that it is not disabled and enable it if necessary.

You, your customers, and resellers will now see the certificates sold by that vendor in the SSL It! interface.

Remove the ability to order SSL/TLS certificates from a specific vendor:

  1. Go to Extensions > My Extensions and locate the plugin extension corresponding to the desired vendor.
  2. Remove or disable the extension.

You, your customers, and resellers will no longer see the certificates sold by that vendor in the SSL It! interface. This will not impact customers who have already bought SSL/TLS certificates from that vendor.

備註: If you are a vendor of SSL/TLS certificates and you want them to be integrated and sold in SSL It!, contact us by the email: plesk-extensions@plesk.com. We will tell you how to get started with writing your own extension to integrate the SSL/TLS certificates and guide you until they will be available for purchase in SSL It!

SSL It! enhanced probability of certificates』 issue

SSL It! has a default feature that significantly decreases a number of cases when Let’s Encrypt SSL/TLS certificates cannot be issued because of incompatible domain configurations.

When you get an SSL/TLS certificate from Let’s Encrypt, its servers need to validate that you control the domain names in the certificate. To do so, Let’s Encrypt uses so-called “challenges”: Let’s Encrypt gives a token file that Plesk places to http://<your_domain>/.well-known/acme-challenge/<token>. We call this directory the common challenge directory. The certificate issue will fail if this directory is not accessible. It may happen because of the following configurations:

When installed, SSL It! ensures that the common challenge directory is supported and accessible even if certain incompatible configurations are detected. The feature “common challenge directory support” is enabled by default in Plesk for Linux and Windows.

If necessary, you can turn off the feature via the CLI by running the following command:

plesk ext sslit --common-challenge-dir –disable.

However, we recommend that you keep the common challenge directory support on.

If you have updated to SSL It! 1.4.0 from earlier versions, the common challenge directory support will be turned on automatically unless the use-common-challenge-dir setting was disabled in panel.ini. If the option was disabled, you need to turn on the support manually by running the following command:

plesk ext sslit --common-challenge-dir –enable.

Starting with SSL It! 1.4.0 the use-common-challenge-dir setting is deprecated.

Limiting the ability to order paid SSL/TLS certificates

It is possible to limit customers』 ability to order paid SSL/TLS certificates from certain vendors, or to hide the 「Get Certificates」 button. Customers will still be able to secure their websites with SSL/TLS certificates from Let’s Encrypt.

Limit the ability to order paid SSL/TLS certificates from one or more vendors:

  1. Open the 「panel.ini」 file for editing.

  2. Under 「[extensions]」, add the following line:

    blacklist = <comma-separated list of IDs of SSL It! plugin extensions>
    

    For example, to limit the ability to order SSL/TLS certificates from Symantec (DigiCert), add the following lines:

    [extensions]
    blacklist = symantec
    

Limiting the ability to order paid SSL/TLS certificates from a certain vendor will not impact customers who have already bought SSL/TLS certificates from them. To restore the ability to order paid SSL/TLS certificates from a vendor, remove the IDs of the corresponding SSL It! plugin extension from the blacklist by editing the panel.ini file again.

Hide the 「Get Certificates」 button:

  1. Open the 「panel.ini」 file for editing.

  2. Under 「[ext-sslit]」, add the following line:

    showGetMoreCertificatesLink = false
    

Hiding the 「Get Certificates」 button will not impact customers who have already bought SSL/TLS certificates, and it will also not affect the ability of customers to secure their websites with SSL/TLS certificates from Let’s Encrypt. Additionally, if the Sectigo extension is installed on the server, customers will have the ability to order paid certificates from Sectigo despite the 「Get Certificates」 button being hidden. To make the button visible, remove the line by editing the panel.ini file again.