I cleared my browsing history and after this update it worked 
Would you mind explaining what that was about?
1 Like
I canāt be 100% certain, but Iām thinking apache wasnāt updated or unable to process the 000-default-le-ssl.conf file.
And your browser also may have had outdated info.
1 Like
Well thank you again! I assume I should start focusing on getting an A on the check your website so I will start looking more into that. Any suggestions on what is important to knock off the list from that site?
1 Like
I'm can't really find much there, other than:
"no preferred version www or non-www"
Which is a simple "fix": Pick one and redirect the other to that one name.
Checking at SSL Labs, I see that you have TLSv1.3 enabled (Great), but also have TLSv1.1 and TLSv1.0 enabled (BAD).
Also NOT seen, but with minimal impact:
- No OCSP stapling
- No Strict Transport Security (HSTS)
Checking at DNS Spy, I see that your DNS servers are from Linode but use the same CloudFlare AS#.
[some consider it a false negative - citing that CloudFlare is too big to fail - I'm not of that mindset and feel that everything can fail and it really cost next to nothing to add some (additional) DNS redundancy]
Checking at DNS Viz I see that DNSSEC is NOT in use.
[not "required" but goes a long way in protecting your site from MiTM attacks & domain spoofing]
2 Likes
That is a lot for a newb to swallow but I am going to take my time researching each and everything you explained here. Thank you for taking the time to explain that!
1 Like
The simplest grade-changer would be disabling TLSv1.0 and TLSv1.1
That can be done within the file:
/etc/letsencrypt/options-ssl-apache.conf
Changing this:
To:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
[and restart the web server]
[and retest your site with the online tools provided above]
2 Likes
And for the www - non-www:
Pick one of these to add to your ssl conf:
#[redirect to www.domain]
RewriteEngine on
RewriteCond %{SERVER_NAME} =clearpath.site
RewriteRule ^ https://www.clearpath.site%{REQUEST_URI} [END,NE,R=permanent]
OR
#[redirect to base domain]
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.clearpath.site
RewriteRule ^ https://clearpath.site%{REQUEST_URI} [END,NE,R=permanent]
2 Likes
Wonāt this mess with the Rewrite rules I already have?
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.clearpath.site
RewriteRule ^ https://clearpath.site%{REQUEST_URI} [END,NE,R=permanent]
1 Like
You put that in the HTTPS vhost - you only have redirection in the HTTP vhost now.
There are four possible ways to connect to your āsiteā:
1 redirects to 3
2 redirects to 4
3 needs to redirect to 4
[or 4 needs to redirect to 3]
[all 4 should āend upā at the same site]
2 Likes
Two more (relatively simple) changes - when you break free of the newbieness - LOL
DNS CAA
ECDSA cert see also: Howto obtain ECDSA cert (in addition to RSA) with certbot?
[you donāt need both - but two is better than one and ECDSA is better than RSA]
In case you havenāt noticed - this is me challenging youā¦
To be the best that you can be at this
2 Likes
Nice. I am starting to get a good grasp on this now.
2 Likes
Yup 
feels like a challenge I am up for. First thing I am going to do is make sure my redirects are working well.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.