2 Problems with my certificate

Hello,

I am getting 2 problems with my Lets encrypt certificate that are the following:

  1. I am getting this error on firefox: `

Secure Connection Failed

An error occurred during a connection to www.mydomain.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
  1. Because of error on previous point I run my domain to https://www.ssllabs.com to check certificate and I got the following problems with it:

IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure

Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1 R Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9 R Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4 R Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10 R Server sent fatal alert: handshake_failure

Handshake is failing in Safari and IE, would this problems be related?

Please help! Thank you for your time!

This is a server configuration error. This is not caused by the TLS certificate, Let’s Encrypt or otherwise.

Ok then what I am missing on server configuration? Can you please elaborate and help me please?

Thanks!

No clue, because I don’t even know which webserver you’re using. You even might start with entering the error message in Google with the name of your webserver. As this isn’t Let’s Encrypt related, this community is also not the best place to go to for this kind of problems. That said, as we are trying to secure the web, you might find some willing people here to help you nontheless :wink:

If you need help, you’ll need to provide as much useful information as possible, such as webserver, webserver version, contents of relevant configuration file et cetera et cetera.

I tried going to Google before coming here to bother people with my problem and in most posts says the problem is with certificate configuration so, that is why I came here with my nontheless.

Sure information about server is an Ubuntu server 18.04, what files details would you need?

Thanks!

That’s the operating system of the server, not the name of the webserver. It could be Apache or nginx or haproxy or…

My server is Apache, what else would you need?

What’s the output of apache2ctl -S and grep -R sslciphersuite /etc/apache2/?

Out for " apache2ctl -S" is the following (please keep in mind I change my server domain to mydomain.com):

Removed for security reasons

And Output for " grep -R sslciphersuite /etc/apache2/" is blank I don’t get any result back

Sorry, I forgot to type the i: please try grep -Ri sslciphersuite /etc/apache2/

I’m also interested if your configuration files are including the Let’s Encrypt SSL option file, so please also paste the output of grep -Ri include /etc/apache2/

Ok Output for grep -Ri sslciphersuite /etc/apache2/ is the following:

Removed for security reasons

And output for grep -Ri include /etc/apache2/ is the following:

Removed for security reasons

IMHO this is odd: why are these two namevhosts in separate configuration files?

Could you paste the output of those two configuration files here?

Ok here, output for "cat /etc/apache2/sites-enabled/000-default-le-ssl.conf"

Removed for security reasons

And output for "cat /etc/apache2/sites-enabled/000-default.conf"

Removed for security reasons

@bella20 It seems the current default SSLCipherSuit directive which is pushed to your server by certbot (with the Include /etc/letsencrypt/options-ssl-apache.conf lines) is too strict for Safari 8 and older. As you can see from Safari 8 / OS X 10.10, that client only supports “WEAK” cipher suits (due to the use of the CBC mode of operation (instead of the more safer GCM in current/modern cipher suits).

Looking at your server configuration, it seems you only have issues with those old Safari browsers (and an old version of Internet Explorer on Windows phones). Do you need to have those browsers working? Are you targeting a specific audience with known uses of Safari 8 or older (or IE 11 on Windows Phone 8.1 pre-update)? Are you using such an old browser which might be why you’re getting that error too?

If not, you can just let it be as it’s currently configured.

If the answer is yes: you could add additional ciphers to the file options-ssl-apache.conf, but that would disable the automated updating of that file by certbot, if needed.

@Osiris If this is only for old browsers like IE or Safari that are obsolete then is no problem since there is no need for them. If this works in regular and updated browsers then, I am ok with that. Just one question is configuration correct?

But what I am not ok is with first point problem the one from firefox:

Secure Connection Failed
An error occurred during a connection to www.mydomain.com . Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

How can I fix that? Because this is giving me problems with regular browsers

Upgrade your browser might perhaps fix it. What version of Firefox are you using?

You might want to surf to https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html and check the supported cipher suits. There should be at least one overlap with the cipher suits of your server.

When I ran testssl.sh on your site, it also gave me good results for nearly every browser. A few ancient Internet Explorers (6 and 8) didn’t work, but that’s expected.

I just run test that you mention on firefox browser giving this error and it seems you are right is a problem with browser because gives me this output:

Your user agent doesn’t support TLS 1.2. You should upgrade.
The protocols supported by your user agent are old and have known vulnerabilities. You should upgrade as soon as possible. The latest versions of Chrome, Firefox, and IE are all good choices. If you can’t upgrade IE to version 11, we recommend that you try Chrome or Firefox on your platform.

So, it seems everything is right configure, is that correct?

Yes, your website uses only safe cipher suits and only a few ancient browsers, like the one you apparently used :wink:, can’t connect to it.

I’m curious, what version was your Firefox?

That is great to hear and thanks a lot for all your help Osiris, cannot believe this error was for some old browser version.

The firefox version I was using was Mozilla Firefox 52.9.0 ESR and it seems that is last version created for Windows XP which was the computer I was having this issue but, just for curiosity I check version on my work computer and it seems Firefox is on version 75.0 so, it really shows how old is that windows xp firefox browser :slight_smile: :wink:

I am gonna delete from previous posts configuration files for security purposes, thanks again! You been awesome :slight_smile:

You do realize that it’s an unsupported operating system and you should upgrade/install some linux distro?