For this extension to be truly useful in regards to adding HSTS to a domain it needs to provide the options necessary to implement it in a way that meets the requirements for preloading.
So it needs to:
1) have an option to add the preload directive.
2) allow for the choice www or non-www domain name by performing the proper redirects to meet the requirements for preloading. Even if it means instructing the client to manually set the "Preferred domain" to "None" as part of the process then having the client return to the extension and then the extension can add the necessary redirects.

What I wanted, was to be able to do it from inside the SSL it! extension.
Since the extension offers the option of adding HSTS I would think it would also provide the options necessary for adding HSTS in a way that meets the requirements for the domain to be preloaded.

The new wildcard SSL support for Let's Encrypt is awesome!

Except that it doesn't work the way a person would expect. For example, when I install a SSL from GoDaddy, I can click my "exampledomain.com" button, and add the SSL. Then I can click my " *.exampledomain.com" button, and add the SSL.

This currently does not work with Let's Encrypt. With LE, I can click into "exampledomain.com" and set up a "*.exampledomain.com " Let's Encrypt SSL. It will properly secure exampledomain.com .

BUT, when I go to the ".exampledomain.com" in Plesk, and click "Hosting Settings", I cannot select the . Let's Encrypt SSL that I just created. Therefore, none of my subdomains are secured by the wildcard SSL that is supposed to secure all subdomains.

This really doesn't make any sense. I was informed by support that you have to create a named subdomain for each subdomain I wish to use. But that defeats the purpose of a wildcard SSL ... because if I am going to do that, I could just as easily set up an individual Let's Encrypt for each subdomain.

Your SSL It! plugin has some conceptional failures:

1. You provide Mozillas Cipher Suites to adjust the three levels of Mozilla. I'm unsure, if you always then set the additional settings like nginx ssl session caching, but however, Mozillas Suites are not the best. Better is the rating table of Qualys SSL Labs, as that's the grade finally looking for. E.g. Mozillas most secure level requires EC certs, as you don't provide a way to order or install such certs with your normal SSL certificate dialogue (if don't want to order via Let's Encrypt or Encryption Everywhere program), so it's somehow useless. Also I won't see EC as such interesting as if quant computing will come, key length of a 384 bit EC is still 384 bit meanwhile a 4096 bit RSA is still 4096 bit and will not be first possible target.




2. You provide OCSP setting, but I don't understand, why this setting should be done per domain. Why not enable at all for all sites or give possibility to choose?




3. I'm unsure, how you handle alias domains, you recognize them, but will a certificate order (e.g. LE or EE) then will issue all separate certs or provide possibility to purchase one with all entries?




4. HTTP to HTTPS redirection (if no cert available) still has its problems. If you have aliases, aliases will first redirect to https, so they need a cert just therefor (better to change the order of redirects) as well as you redirect from non-www to www first, if preferred domain is www, however, that's recognized as bad practice by HSTS preload list (would be fine to be linked to enter or check your site there) and could result in not been listed (so again wrong redirection order).




5. As you also allow to protect webmail (however, you don't see, if it's protected already as in my situation), what's about MTA-STS support?

Regards,
Christian

I would like to be able to use the Let's Encrypt extension to add new certs to the "list of certificates in server pool" and make use of a Let's Encrypt (LE) cert as the "default certificate" for domains that have not added their own specific certificate.

I thought this was already possible, but was incorrect. I added a LE cert on the Tools/Settings > SSL/TLS Certificates page, and made it the default certificate.

However, I used a different certificate to secure the Panel and the mail server. It appears, in that case, the LE cert will never be renewed.

I would like to have the LE certificate renewed if it's set as the default cert even if it is not used to secure the Panel or the mail server.

I don't consider using LE certs a good idea to secure the mail server because some e-mail clients, especially Apple clients, break when the cert is changed or renewed, causing end user support problems. Due to this, I use a different cert, that lasts for 2 years, to secure the mail server, to avoid that issue happening frequently (every 90 days). See...

https://support.plesk.com/hc/en-us/articles/115004756974-Mail-users-with-iOS-and-MacOS-devices-cannot-access-mail-after-certificate-renewal-on-Plesk-server-Cannot-Verify-Server-Identity

Thanks for your consideration.