觀看視頻教程

The SSL It! extension offers a single interface for keeping your websites secured with SSL/TLS certificates from the trusted certificate authorities (CAs) Let’s Encrypt and DigiCert (Symantec, GeoTrust, and RapidSSL brands) or with any other SSL/TLS certificate of your choice. Using the extension, you can also do the following:

  • 通過從 HTTP 重定向到 HTTPS 增強網站訪客的安全度。
  • 通過禁止 web 瀏覽器存取使用 HTTP 不安全連接的網站來保護網站訪客。
  • 使用 OCSP 裝訂保護網站訪客的隱私並提高網站性能。
  • 讓使用 SSL/TLS 證書加密的連接在使用 Mozilla 生成的協定和密碼時更安全。

開始使用 SSL It!

Take into account the following:

  • The SSL It! extension is installed by default.
  • 若要利用所有的 SSL It! 功能,請確保還安裝了最新版的 DigiCert SSL 和 Let’s Encrypt 擴展。

To manage an SSL/TLS certificate of a domain, go to Websites & Domains > your domain. You can see the current security status of the domain under 「SSL/TLS Certificates」:

image status

使用 SSL/TLS 證書保護網站的安全

With the SSL It! extension, you can secure websites with free and paid SSL/TLS certificates (at the moment they are from DigiCert only) and also with SSL/TLS certificates you already own.

若要使用 Let’s Encrypt 免費的 SSL/TLS 證書保護網站的安全,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書

  2. Under 「More options」, click Install:

    image install_button

  3. 指定將用於緊急通知和丟失金鑰恢復的電郵地址。

  4. 選擇除了主域名之外還需保護的域名:

    • Secure the main domain name. Secure only the main domain. If you want to secure only the webmail, you can clear the checkbox.
    • Secure the wildcard domain (including www and webmail). Secure the www subdomain and/or domain aliases, and the webmail.
    • Include a 「www」 subdomain for the domain and each selected alias. Secure the www subdomain and/or domain aliases.
    • Secure webmail on this domain. Secure the webmail.
    • Assign the certificate to mail domain. Secure the mail with the IMAP, POP, or SMTP protocol. If you have the www subdomain and/or domain aliases, select the Include a 「www」 subdomain for the domain and each selected alias checkbox.
  5. 點按 免費獲取

將會簽發一個 Let’s Encrypt 的 SSL/TLS 證書並自動安裝。

備註: If you secure a domain with an SSL/TLS certificate from Let’s Encrypt and then add new domains, subdomains, domain aliases, or webmail to the subscription, you can have SSL It! automatically secure them by reissuing the SSL/TLS certificate from Let’s Encrypt. To do so, go to Websites & Domains > your domain > SSL/TLS Certificates and turn on the Keep websites secured option.

若要獲取付費的 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書

  2. To get the list of available certificates, click Get Certificates:

    image Get_Certificates_Button

  3. Select the SSL/TLS certificate you want to buy and click the Buy button in the certificate’s form. .. note:

    To find an appropriate certificate, you can do the following:
    
    -   Filter the available certificates. You can apply the **Recommended**, **Wildcard**, and
        **For organization use** filter sets.
    -   Read more about a certificate (its validity period, validation type, and so on) by
        clicking the **Learn more** button in the certificate’s form.
    
  4. In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.

  5. Сlose the pop-up window.

  6. Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.

    image waiting payment

  7. 付款處理後,點按 填寫必填資料

    image payment received

  8. Fill in the required contact information, and then click OK.

Plesk 現在即自動創建證書簽名請求 (CSR) 然後接收和安裝 SSL/TLS 證書。根據不同類型的 SSL/TLS 證書,可能需要一定時間。您可以點按 重新載入 手動更新 SSL/TLS 證書狀態或等候 Plesk 自動將其更新(Plesk 會每小時檢查 SSL/TLS 證書狀態一次)。

備註: 某些類型的 SSL/TLS 證書(例如 EV)需要您額外執行一些操作。您可能需要接聽電話或回復電子郵件,同時還需提交必要的檔,這樣 CA 才可以驗證您的應用程式。

SSL/TLS 證書安裝好後,網站與域名 > 您的域名 > SSL/TLS 證書 螢幕將會顯示有關已安裝的 SSL/TLS 證書(名稱、證書機構、電郵地址,等等)、已安全保護的元件和其它選項(」從 http 重定向到 https」、」HSTS」,等等)的資訊。

Securing Websites via CLI

You can also secure websites with wildcard SSL/TLS certificates via the CLI. Execute the following CLI commands:

plesk ext sslit --certificate -issue -domain <domain_name> -registrationEmail <email> -secure-domain -wildcard

and then

plesk ext sslit --certificate -issue <domain_name> -registrationEmail <email> -continue

The first command creates a wildcard certificate order, while the second one completes the order and issues the certificate.

上傳 SSL/TLS 證書

You may want to upload an SSL/TLS certificate in the following cases:

  • You already have a certificate that you want to use to secure your domain.
  • 您想要安裝無法通過 SSL It! 獲取的證書。

若要上傳 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書 然後點按 上傳

    image upload

  2. 找到您要上傳的 SSL/TLS 證書的 .pem 文件然後點按 打開

SSL/TLS 證書將自動在域名上安裝。

續訂更新已安裝的 SSL/TLS 證書

為了您的網站能夠得到持續有效的安全保護,您需要按時續訂更新已安裝的 SSL/TLS 證書。SSL It! 擴展會幫助您實現此目的。

SSL It! 會在證書到期前 30 天自動續訂更新 Let’s Encrypt 和 DigiCert 免費的 SSL/TLS 證書。

image renew

SSL It! cannot automatically renew paid SSL/TLS certificates. However, you can do the following:

  • 手動重新簽發這些證書。
  • 讓 SSL It! 使用 Let’s Encrypt 免費的證書自動替換已到期的 SSL/TLS 證書。

若要重新簽發付費的 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 使用快要到期的付費 SSL/TLS 證書保護安全的域名 > SSL/TLS 證書

  2. 點按 重新簽發證書。然後會自動將您重定向到 Plesk 線上商店。

  3. In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.

  4. Сlose the pop-up window.

  5. Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.

    image waiting payment

  6. 付款處理後,點按 填寫必填資料

    image payment received

  7. Fill in the required contact information, and then click OK.

Plesk 現在即自動創建證書簽名請求 (CSR) 然後接收和安裝 SSL/TLS 證書。根據不同類型的 SSL/TLS 證書,可能需要一定時間。您可以點按 重新載入 手動更新 SSL/TLS 證書狀態或等候 Plesk 自動將其更新(Plesk 會每小時檢查 SSL/TLS 證書狀態一次)。

若要使用 Let’s Encrypt 免費的證書自動替換已到期的付費 SSL/TLS 證書,請如下操作:

  1. 轉到 網站與域名 > 使用快要到期的付費 SSL/TLS 證書保護安全的域名 > SSL/TLS 證書
  2. Turn on Keep websites secured.

Now when your paid SSL/TLS certificate expires, SSL It! automatically issues a free SSL/TLS certificate from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. It usually happens no later than one hour after the SSL/TLS certificate expires.

取消分配 SSL/TLS 證書

  1. 轉到 網站與域名 > 您想要取消分配 SSL/TLS 證書的域名 > SSL/TLS 證書
  2. Click Unassign Certificate, and then click OK.

增強網站和已加密伺服器連接的安全性

僅僅使用來自可信 CA 的有效 SSL 證書保護網站的安全不足以獲得全面的保護。SSL 是一種複雜的技術,有很多功能(金鑰加密演算法、安全密碼、HSTS,等等),這些功能可以:

  • 增強網站訪客的安全性。
  • 提高網站性能。
  • 強化所有伺服器加密連接的安全性

啟用這些功能可以提高網站的搜尋引擎排名:

  • Redirect from http to https sets up a permanent, SEO-safe 301 redirect from the insecure HTTP to the secure HTTPS version of the website and/or webmail.
  • HSTS prohibits web browsers from accessing the website via insecure HTTP connections.
  • OSCP makes the web server request the status of the website’s certificate (can be good, revoked, or unknown) from the CA instead of the visitor’s browser.
  • TLS versions and ciphers by Mozilla harden connections secured with SSL/TLS certificates (website, mail, Plesk, and so on).

警示: Before turning these features on, make sure that your website can be accessed via HTTPS without any issues. Otherwise, visitors may have trouble accessing your website.

備註: 如果您已手動在您的 web 伺服器中設定了 HSTS 或 OCSP 裝訂,請在 SSL It!.中打開 HSTS or OCSP 裝訂之前刪除這些自訂設定。

若要增強網站和已加密伺服器連接的安全性,請如下操作:

  1. 使用可信 CA 的有效 SSL/TLS 證書保護網站的安全。

  2. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書

  3. If you have upgraded to Plesk Obsidian from earlier Plesk versions, turn on Redirect from http to https. The redirect will be also applied for webmail by default. On clean Plesk Obsidian installations, the redirect for the domain and webmail is already turned on by default.

    備註: If your webmail is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the Include webmail checkbox.

  4. Enable HSTS.

    備註: If your SSL/TLS certificate expires earlier than the Max-age period but you still want to use HSTS, we recommend that you turn on 「Keep websites secured」. Then when the SSL/TLS certificate expires, SSL It! will automatically issue a free one from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. The website will be continuously secured and HSTS will continue working.

  5. Turn on OCSP Stapling.

  6. Enable TLS versions and ciphers by Mozilla.

一旦強化了網站和伺服器的 SSL 安全性,即可評估網站的 SSL 安全性。

備註: You can also enable HSTS via the CLI. For example, to enable HSTS for the domain example.com that has already been secured with an SSL/TLS certificate, run the following command:

plesk ext sslit --hsts -enable -domain example.com

To see details on using SSL It! via the CLI, run the plesk ext sslit --help command.

Enabling HSTS

  1. 打開 HSTS。
  2. Make sure that the SSL/TLS certificate that secures your website will be valid during the Max-age period. Do the same for subdomains and the webmail subdomain.

警告: If the SSL/TLS certificate expires earlier than the Max-age period and HSTS is turned on, visitors won’t be able to access your website.

  1. If your subdomains are not secured with valid SSL/TLS certificates or you do not have any subdomains, clear the Include subdomains checkbox.
  2. If your webmail subdomain is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the Include webmail checkbox.
  3. 點按 啟用 HSTS

Enabling TLS Versions and Сiphers by Mozilla

  1. Go to Extensions > the My Extensions tab > click Open next to SSL It!
  2. Under TLS versions and ciphers by Mozilla, turn on the toggle.
  3. Keep Intermediate (recommended), and then click Enable & Sync.
  4. To stay current, click Sync now once every few months.

已知問題和局限性

  • OCSP 裝訂只適用於由 nginx 和 Apache 服務或 nginx 單獨服務的網站。如果您的網站只由 Apache 服務,則不需要開啟 「OCSP 裝訂」。
  • 如果完整的信任鏈未就位,OCSP 裝訂可能無法用於某些供應商的 SSL/TLS 證書(例如 DigiCert 的免費證書)。若要檢查您的證書是否支援 OCSP 裝訂,請在您的 SSL 配置上運行 SSL Labs 測試。
  • 目前還不支援自動同步 Mozilla 提供的 TLS 版本和密碼。

評估網站的 SSL 的安全性

流行的搜尋引擎(例如 Google)會給有更好 SSL 保護的網站更高排名。在 SSL It! 擴展中,您可以運行最流行的測試服務,Qualys SSL Labs,以實現:

  • 檢查您網站的 SSL 保護有多好。
  • 查看哪些可以提升。
  • 獲得 A+,最高評分(必要時強化 SSL 保護後)。

若要評估網站的 SSL 的安全性,請如下操作:

  1. 轉到 網站與域名 > 您的域名 > SSL/TLS 證書
  2. Click Run SSL Labs Test.

將在新的標籤中打開 Qualys SSL Labs 網站,然後自動開始測試。等測試結束後即可獲得您的評分。這可能需要幾分鐘的時間。

如果您使用可信 CA 的有效 SSL/TLS 證書保護網站的安全,且打開了 SSL It! 提供的所有安全增強功能,最有可能得到 A+ 的評分。

自訂 SSL It! 提供的 SSL/TLS 證書列表

預設情況下,當您想要使用 SSL/TLS 證書保護域名且要轉到 SSL It! 時,您會看到來自不同 CA 的四個 SSL/TLS 證書可供安裝。但還有更多。

SSL It! 有一系列 SSL/TLS 證書可供安裝。可以選擇您、您的客戶和代理商將在 SSL It! 介面中可見的證書。您可以在 SSL It! 介面或通過 CLI 實現此目的。

Customize the list of SSL/TLS certificates available for installation in SSL It! via the SSL It! interface:

  1. Go to Extensions > My Extensions tab > click Open next to SSL It!.
  2. Next to SSL/TLS Certificates, click Configure.
  3. Select the desired SSL/TLS certificates, and then click Save.

您的客戶、代理商和您自己將只能在 SSL It! 介面中看到選定的證書。

Customize the list of SSL/TLS certificates available for installation in SSL It! via the CLI:

  1. Connect to the Plesk server via SSH.

  2. Get the full list of available SSL/TLS certificates by running the following command:

    plesk ext sslit --product -list
    
  3. 複製您要添加到列表或從列表移除的 SSL/TLS 證書的供應商和產品 ID。

    image product list

  4. 若要自訂 SSL/TLS 證書清單,可使用以下模式的 CLI 命令:

    • 若要將 SSL/TLS 證書添加到列表,請如下操作:

      plesk ext sslit --product -add -vendor <vendor-ID> -product <product-ID>
      
    • 若要從列表移除 SSL/TLS 證書,請如下操作:

      plesk ext sslit --product -remove -vendor <vendor-ID> -product <product-ID>
      
    • 若要將 SSL/TLS 證書列表重設為默認證書列表,請如下操作:

      plesk ext sslit --product -reset-to-defaults
      

    例如,如果您想要將 ssl-web-server-ev 證書從 Thawte 添加到列表,可運行以下命令:

    plesk ext sslit --product -add -vendor symantec.thawte -product ssl-web-server-ev
    
  5. 多次重複上述命令,直到您獲取了所需的可用 SSL/TLS 證書列表。

備註: If you are a vendor of SSL/TLS certificates and you want them to be integrated and sold in SSL It!, contact us by the email: plesk-extensions@plesk.com. We will tell you how to get started with writing your own extension to integrate the SSL/TLS certificates and guide you until they will be available for purchase in SSL It!.

SSL It! enhanced probability of certificates』 issue

SSL It! has a default feature that significantly decreases a number of cases when Let’s Encrypt SSL/TLS certificates cannot be issued because of incompatible domain configurations.

When you get an SSL/TLS certificate from Let’s Encrypt, its servers need to validate that you control the domain names in the certificate. To do so, Let’s Encrypt uses so-called “challenges”: Let’s Encrypt gives a token file that Plesk places to http://<your_domain>/.well-known/acme-challenge/<token>. We call this directory the common challenge directory. The certificate issue will fail if this directory is not accessible. It may happen because of the following configurations:

When installed, SSL It! ensures that the common challenge directory is supported and accessible even if certain incompatible configurations are detected. The feature “common challenge directory support” is enabled by default in Plesk for Linux and Windows.

If necessary, you can turn off the feature via the CLI by running the following command:

plesk ext sslit --common-challenge-dir –disable.

However, we recommend that you keep the common challenge directory support on.

If you have updated to SSL It! 1.4.0 from earlier versions, the common challenge directory support will be turned on automatically unless the use-common-challenge-dir setting was disabled in panel.ini. If the option was disabled, you need to turn on the support manually by running the following command:

plesk ext sslit --common-challenge-dir –enable.

Starting with SSL It! 1.4.0 the use-common-challenge-dir setting is deprecated.