Hello. I can’t access my website after renewing certificates. The new certificates after running certbot-auto were successfully renewed. The website was redirected to https

My domain is: www.areeattrezzatecampercaravan.it

My web server is (include version): Apache 2.2.22

The operating system my web server runs on is (include version): debian 7.1

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

I tested the certificate on the website ssllabs.com, and I got different handshake failures

This is your problema, dear.

Your webserver+openssl combination don't support tls1.2 (well) and tls1.3 (at all) but certbot told them that's all they should support.

upgrade to debian 10 if you can. if you cannot, I'll help you pull certbot's leg.

Hi, I can’t upgrade to Debian 10 (some apps running only on 7). I can’t understand why I got this problem only now. In the previous renewals no problem. I hope you can help me. Thanks

You get this problem because the apache configuration included with certbot has changed.

You should really upgrade your debian 7, but anyway.

Anyway, go in your /etc/apache2 directory and find where your ssl config is:

grep -eir "SSLProtocol|SSLCipherSuite" /etc/apache2

Edit: it’s an Include /etc/letsencrypt/something-apache.conf line

replace your current ssl configuration with this one: https://ssl-config.mozilla.org/#server=apache&version=2.2.2&config=intermediate&openssl=1.0.1&hsts=false&guideline=5.4

(check I got your openssl version right)

Hi, I checked the version of openssl. The version is 1.0.1t. I found where the ssl config is (ssl.conf under mod-available). I didn’t understand what you mean by
" Edit: it’s an Include /etc/letsencrypt/something-apache.conf line"
In the directory letsencrypt I found the file “options-ssl-apache.conf”
Then should I change the content of ssl.conf by this content?
"<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private_key

intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off"

Thanks again

no.

your ssl.conf is probably doing nothing.

you should find that line "Include /etc/letsencrypt..." and replace that line, and THAT LINE ONLY, with the last lines of the mozilla configurator suggestion. otherwise, don't edit your config in /etc/apache2 and put those lines in /etc/letsencrypt/options-ssl-apache.conf replacing the similar ones.

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

All is clear but there is a problem. In the file options-ssl-apache.conf I have already this text.

read /etc/apache2/httpd.conf and any file it includes, including those in sites-enabled, find if that file in included and if ssl.conf is

(you can probably discover it easily by using apachectl -S)

Ssl conf is included and so is the file options-ssl-apache.conf

OK, what do they say?

And are you sure that mozilla’s generator’s output is identical to the file you already have?

I’m sure. Anyway this the content

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

try this command:

openssl ciphers -s -tls1_2

it will tell you which ciphers you support and which we can choose. because you only offer two and modern browsers don’t support them.

This is the output of the command
Error in cipher list
140732259608232:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1294:

You may need to replace

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

with

SSLProtocol all -SSLv2 -SSLv3

and this is not good. Did I tell you to upgrade your distro?

I replaced. I restarted apache but nothing changed

replace your cipherlist with the one in the “old” configuration and hope it goes better: https://ssl-config.mozilla.org/#server=apache&version=2.2.2&config=old&openssl=1.0.1t&hsts=false&ocsp=false&guideline=5.4

and plan to move off that server asap

in both files? ssllabs doesn't see any tls1.1 or 1.0 support...

Hi @iampfab

read your output. Or read areeattrezzatecampercaravan.it - Make your website better - DNS, redirects, mixed content, certificates

Grade O - old connection.

O Old connection: Diffie-Hellman Key Exchange with 1024 Bit is unsecure. Update to 2048 Bit Key Exchange. Read https://weakdh.org/ to learn how to update your server.

Ssllabs shows tons of

DH 1024

warnings. And that's a configuration every browser blocks.

Thanks. It works!! You were very helpful.

WHAT works?

enabling tls1.0 or the old ciphers?

take the time to move to a modern OS, this is not a problem you’d have had there. If you have legacy applications that need to run on debian 7 you can keep them, on on a separate machine or in a docker container. But for the love of god, upgrade that webserver.