Securing Your Websites with the SSL It! Extension in Plesk Obsidian

SSL It! Extension in Plesk Obsidian

Securing your website with SSL is essential to ensure the privacy of your visitors and that you’re found online in 2020. Encrypt All The Things and Google’s push for more SSL adoption mean SSL is rapidly becoming the new standard. As a result, without SSL on your website, you risk a poor experience for your users and falling rankings. So, to solve this dilemma, we’ve developed the SSL It! extension.

It allows you to keep your websites secured with certificates from trusted certificate authorities (CAs) Let’s Encrypt and DigiCert (Symantec, GeoTrust, and RapidSSL brands), or with any other SSL/TLS certificate.

SSL It! comes already installed by default, and you can do everything from one, easy-to-use interface. You need the latest versions of the DigiCert SSL and Let’s Encrypt extensions to also be installed to get the most from it, but apart from that, it’s ready to go out-of-the-box.

To give you an idea of what the extension can help you do, here’s a rundown of its main features:

  • HTTP to HTTPS redirects to enhance the security of your website’s visitors
  • Prohibits web browsers from accessing your website via insecure HTTP connections
  • Improves website performance and protects privacy with OCSP Stapling.
  • Uses protocols and ciphers generated by Mozilla to make connections encrypted with SSL/TLS certificates more secure

SSL It! is a free extension, but SSL certificates themselves can be paid. Before we get into all that, let’s have a look at how you can use it to elevate your security.

Evaluating the SSL security of your website

Using the SSL It! extension, you can run one of the most popular testing services, Qualys SSL Labs, to check how good the SSL protection of your site is and discover what you can do to improve it.

Evaluating the SSL security of your website is as easy as doing the following:

  1. Go to Websites & Domains > your domain > SSL/TLS Certificates
  2. Click “Run SSL Labs Test”

The Qualys SSL Labs website will open in a new tab and the test will start automatically. Simply wait a few minutes until the test is finished, and you will receive a grade.

The highest possible grade is A+. If you secure your website with a valid SSL/TLS certificate from a trusted CA, and have turned on all security-enhancing features within the SSL It! extension (both steps we’ll look at next), you’re likely to receive top marks.

Securing websites with SSL/TLS certificates

To manage the SSL/TLS certificate of a domain, you first need to go to Websites & Domains > your domain. There you can see the current security status of your domain under SSL/TLS Certificates.

SSL It!

As you can see in the Tips & Tricks video below, by clicking SSL/TLS certificates you will see a list of certificates, all with clear descriptions so you can pick the right one for your needs.

For example, in the video, we select the Lets Encrypt certificate. All that needs to be done next is to enter a valid email address and choose what you want to secure. The first option, domain and the selected components, is a good option if you’re not sure what DNS settings you have in place.

On the next page, you’ll see that your domain and the selected components are now secured. From here, you can run the SSL Labs Test to see how secure your domain is. Like in the video, it’s likely your website will now score an A. You can improve your security further and raise this to the maximum score, A+, by turning on the four TLS-related options and sync TLS versions with Mozilla’s free service.

Enhancing the security of your websites

SSL It! will ensure your website is secured with a valid SSL certificate from a trusted CA. But this is not enough to ensure all-round protection. In particular, this extension contains four options that, when configured, will improve your website’s performance, enhance the security of your visitors, and harden the security of all servers’ encrypted connections. On top of this, enabling these features will boost your SSL Labs Test score to A+ and raise your website up the search engine rankings.

Here’s the four options with details of how they secure your website:

Redirect from HTTP to HTTPS:

The first option, redirect from HTTP to HTTPS, sets up a permanent, SEO-safe 301 redirect from the insecure HTTP to the secure HTTPS version of the website and/or webmail.

HSTS:

The second option, HSTS, prohibits web browsers from assessing your website via insecure HTTP connections. If visitors are unable to connect via HTTPS, for instance, because your certificate has expired, your website will become unavailable.

Keep websites secure:

The third option replaces expired or self-signed SSL certificates with free valid certificates from Let’s Encrypt. It covers each domain, subdomain, domain alias and webmail belonging to the subscription.

OCSP Stapling:

The last option, OCSP Stapling, forces the web server to request the status of the website’s certificate from the CA instead of the visitor’s browser.

On this page, you will also see there are ciphers managed by Mozilla which are constantly being updated. Click on TLS versions and ciphers by Mozilla to go to the settings page, and if you want to use the latest, click Sync now.

With your certificate installed, the four TLS-related options on, and ciphers synced, you can now do another run of SSL Labs Test. All that’s left to do is bask in the glory of your website’s A+ security rating.

There are many more things you can do to improve your website’s security within the extension, such as acquiring a paid SSL/TLS certificate or uploading your own. Check out this guide for more detailed info.

What is your experience with this extension? Share your thoughts or drop us a question or two by heading to the comments below!

Moving from HTTP to HTTPS 3: Troubleshooting and DIY solutions

Moving from HTTP to HTTPS 3: Troubleshooting and DIY solutions - Plesk

One thing is quite clear- HTTPS is here for good. When SSL certificates give you HTTPS status, you’re saving user data from hackers, making the internet a safer place. You’re also increasing online transactions on e-commerce sites. That’s why most serious website owners have already migrated from HTTP to HTTPS – or are attempting it.

However, even with a host of benefits for a Google-friendly HTTPS site, there are certain technical issues associated with its integration or maintenance that may puzzle even technical users. Let’s now talk about such issues and the best possible ways to resolve them.

Optimizing Speed and Performance

This article presented some tricky errors along with their easy, DIY solutions. Let us know in the comments if we’ve managed to keep the instructions clear and simple and if you performed all the steps accurately.

Optimizing Speed and Performance - Ruby on Rails vs PHP

It’s not uncommon to experience site performance/speed issues after upgrading to HTTPS. SSL-enabled sites go through a series of additional verification processes when a visitor enters. One of the key processes is the handshake that requires a significant amount of CPU power. Here are a few actionable tips that can minimize the operation series and resolve this issue.

  1. Save time by sending multiple requests through a single connection. For that purpose, you need to enable Keep-Alive connections.
  2. Shave time by reusing the SSL session parameters. It will eliminate the SSL handshakes requirements for subsequent or parallel connections.
  3. SSL session cache stores multiple sessions. This cache is shared between all the workers. Use ssl_session_cache directive to enable it.
  4. There are 4000 sessions per megabyte of cache and its default timeout is 5 minutes However, you can increase this time for the better results by using the directive ssl_session_timeout.
  5. To further enhance your website speed by 50-300%, you may also consider the downloadable Speed Kit extension on Plesk.

Issues regarding SSL certificates

Issues regarding SSL certificates - Plesk

SSL Certificate Chains

Another tricky situation is when browsers refuse to accept a certificate, even from a reputed authorized CA. The most popular browsers generally have an inbuilt certificate base containing variously authorized and reputed CAs. However, the reputed CAs use intermediate certificates to sign the server certificate.

The series of chained certificates are provided by the CAs that ultimately link to the root certificate. These intermediate certificates aren’t in the browsers’ inbuilt certificate store and it causes the error. Here are the actionable tips you can follow.

  1. Ideally, the chained certificates should follow the server certificates in order to enable the operations/process.
  2. If you’re non-technical, it’s good to get help from a professional or CA.
  3. Open certificate details and :certification path will reveal the problem areas.
  4. Communicate with your CA if you find difficulty installing an intermediate certificate.

Invalid SSL Certificate

If you try installing the certificate with incorrect details, you’ll get this error. Here’s what to do.

  1. Let’s Encrypt users can use the renewal command to renew an SSL certificate.
  2. If you purchased from another CA, ask them for an SSL certificate renewal.
  3. Make sure the CA is reputable and recognized by popular browsers.

Outdated SSL certificate

As the name suggests you need to renew your SSL certificate because it is now past its due date or has some validity issues. If your browser doesn’t support SNI, then updating its version can resolve the issue. You may also try revisiting the same page.

The Mixed Content Issue

When you use an HTTPS domain as a path to send HTTP elements, it causes the mixed content error. Basically, you’re trying to mix the different elements (HTTP and HTTPS) on the same platform. Here’s how to solve it.

  1. Just visit the console tab in chrome dev tools where you can find a series of elements. If the elements are hard-coded, you need to modify the URL manually. For external resources just replace the HTTP versions with HTTPS. If the external resources haven’t yet transferred to HTTPS, you can send them a request. Alternatively, you can also look for the HTTPS substitutes to the external resources, like images.
  2. Review the certificate information of the custom SSL certificate that you’re adding to CDN/Origin server and make sure all the information is correct and current. Things to check: intermediate certificates (check entire range  separately ), Private key, empty lines (delete if you encounter any).
  3. Use some reputable tool that can help generate an intermediate certificate.

Outdated Browser, Cache and Cookies

Older browsers may be unable to recognize the SSL-enabled sites because they don’t support these technologies. If browsers cache has saved the older SSL information about your site’s recently-updated certificate, then this message appears due to an info mismatch.

This error may still occur after you solve the problem. resolving the problem if that problem. The simple remedy is to clear your cache so your browser can again retrieve and read the updated certificate details.

Apache Issues

Apache Issues - Plesk

For Apache issues, you need to use codes. Digicert, leading SSL authority, provides a complete guide on how to resolve such issues. Along with solution codes that you might just need to copy/paste. With Digicert, you can also diagnose your SSL issues here, provide your site name and check for the reports.

Further DIY Solutions to HTTPS Issues in Plesk

If you love DIY exercises, then here are different ways to buy, manage or renew your SSL certificate in Plesk. All you have to do is to click the links below and follow the easy instructions.

  1. Change the default certificate
  2. Renew the default certificate
  3. Purchase SSL Certificate from Plesk
  4. Enable redirection from HTTP to HTTPS in Plesk
  5. Download SSL certificate in Plesk
← Go to Part 2

This article presented some tricky errors along with their easy, DIY solutions. Let us know in the comments if we’ve managed to keep the instructions clear and simple and if you performed all the steps accurately.

arrow icon - Plesk

Moving from HTTP to HTTPS 2: SSL Certificates and their suitability

SSL Certificates

SSL certificates help secure data in transit against attacks. Regardless of their types or issuing agency, all SSL certificates encrypt submitted data – decrypting it only upon reaching its recipient. While this basic functionality remains the same for all types of SSL certificates, there are some key differences in suitability and limitations. Let us explore these differences in detail as you continue your move from HTTP to HTTPS.

DV (Domain-validated) Certificate

DV (Domain-validated) Certificate - Plesk

DV or domain validate certificate is the most basic level of certification. It simply helps you demonstrate that you’re the submitted domain owner, while requesting the SSL certificate.

A DV certificate is ideal for internal communications, to maintain test domains and servers, and internal sites. Rarely, it may also be suitable for small businesses with a brochure website.

DV Certificate Limitations

  1. DV doesn’t mention the company name that owns and operates the domain. Hence, it doesn’t verify the domain is owned by a trusted, official, legal entity. This can discourage shoppers or potential partners from sharing their personal info while performing online transactions on your site.
  2. Sharing data over a secured network with an unidentified/unverified recipient isn’t wise. A hacker can purchase a fraudulent similar sounding domain name and its SSL certificate (like Mikrosoft.com or Jumla.com). This just to trick visitors into sharing sensitive data which they will later misuse.

OV Certificate

OV Certificate - Plesk

You get an OV certificate after a detailed verification process. Because it displays more comprehensive domain information, thus verifying that the legal corporate entity that owns it is authentic.

An OV Certificate is suitable if you’re running a commercial website or blog that requires clients to login using an ID/password. Or for educational institutes that require students/teachers to login and check reports/attendance and other non-interactive activities. An OV may also suit local community websites and small business websites that don’t involve sales or sharing of payment details.

OV Certificate Limitations

  1. Real human interaction like the telephonic call is generally involved at multiple levels that enhance the trust level.
  2. Trusted real-world sources are checked to cross-verify the corporate nature of the business requesting it. In most of the cases, it also involves the submission of business documents.

EV (Extended Validation) Certificate

EV (Extended Validation) Certificate - Plesk

EV certificates almost eliminates any phishing possibilities because of its strict configuration, reinforcing failsafe security at multiple levels. However, an EV requires the most stringent verification process. Your organization can have one issued only after it can successfully pass all verification steps. Namely, physical existence, current legal/operational status, exclusive domain ownership and controlling rights of the commercial entity.

EV Certificate Suitability

  1. The EV certificate is perfect for online stores that need customer personal and payment information. Including contact address and phone number.
  2. EV is also suitable for Healthcare websites that establish communication between doctor and patients. Also, government, educational and other interactive websites that conduct online tests, assessments and such.
  3. If you’re working on mission-critical projects via your website, then an EV SSL certificate is the best option for you.
  4. The EV certificate is also the best choice for online wealth building and management sites and Blockchain websites. Those enabling online payments and are looking to build a long lasting digital empire.

Single Domain SSL certificate

The single domain covers only one main domain to which it belongs, without supporting any of its subdomains. So if you buy a single domain certificate for mycompany.com, it will only provide SSL security (and HTTPS status) to yourcompany.com. The Single Domain SSL certificate is ideal for small businesses and start-ups that just want to secure one domain. Like the homepage.

Wildcard SSL Certificate

Wildcard SSL Certificate - Plesk

Along with securing the main domain, the wildcard certificate also secures all related subdomains. In short, the Wildcard perfectly fills the gaps left by the single domain certificate. For instance, if you purchased a Wildcard SSL Certificate for mysite.com, then it will automatically secure blog.mydoman.com, services.mydomain.com, and shop.mydomain.com.

A Wildcard SSL certificate is best for business websites, institutional sites and other websites with multiple web pages of high importance. Such as government organizations, eCommerce sites, online new media, and social community websites.

Multiple Domain Names Certificate

The Multiple Domain names SSL certificate is fully capable of securing multiple domain names that belong to you. The Multiple Domain Names Certificate is suitable if you’re running a group of companies with different URLs or you’re considering starting up multiple blogs or sites in the future.

HTTP to HTTPS: Get the best benefits from your SSL Certificate

You need to know about various options and their suitability for you to make the best SSL choice. Especially with the move from HTTP to HTTPS. This article should help you evaluate this in the context of your business and its objectives. If you’d like to know more about the suitability of different certificates, read our SSL Certificate guide here or the more detailed SSL info from Digicert.

← Go to Part 1
Go to Part 3 →