Certificate Score F


#1

Hi,

I’ve setup 2 Ejabbed servers.
XM3 has SSL Certificate from StartTLS (xmpp.net Grade C)
XM4 has SSL Certificate from LetsEncrypt (xmpp.net Grade F)

  • certificare score is 0
  • few ciphers show poor ratings.
    I am guess thats where the problem lies.

Test report is here: https://xmpp.net/result.php?id=613641
I used the standard command to install LetsEncrypt cert
"certbot certonly --standalone -d xm4.conversity.net"

I’m not an expert on this subject & looking for some help in understanding how can I improve my scores to “C” or better.

Pls suggest what I can do to improve the scores or point me in the right direction.

Thanks,
Sans

Please fill out the fields below so we can help you better.

My domain is: xm4.conversity.net

I ran this command:

It produced this output:

My operating system is (include version): CentOS 7

My web server is (include version): Ejabberd

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Not Applicable


#2

Your main problem is that the certificate is for the wrong name. It needs to be for the domain name of the service (i.e. conversity.net), not the server (although it may be needed for other purposes). use the following command to get a cert for both names.

certbot certonly --standalone --expand -d xm4.conversity.net -d conversity.net 

That will get both servers to a C. To get better than that you’ll need to make a few adjustments to the config:

  1. Disable TLS compression by setting tls_compression and s2s_tls_compression to FALSE
  2. Disable SSLv3 by including - "no_sslv3" in protocol_options and s2s_protocol_options
  3. Change the ciphers and s2s_ciphers lists to exclude 3DES and non Forward Secret. For example: "HIGH:-kRSA:!MEDIUM:!aNULL:!MD5:!3DES"

#3

Thanks @cool110
I tried the command with both domains & got the following error message.


Failed authorization procedure. conversity.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested da869940e1452f3e705a27677df616df.c2a5ba5db858c44e969a0eab4120deb5.acme.invalid from 188.166.223.107:443. Received certificate containing ‘conversity.net, www.conversity.net

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: conversity.net
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    da869940e1452f3e705a27677df616df.c2a5ba5db858c44e969a0eab4120deb5.acme.invalid
    from 188.166.223.107:443. Received certificate containing
    conversity.net, www.conversity.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


conversity.net is a different server with its own SSL already installed.

How should I proceed?

Thanks again!


#4

In this case certbot’s standalone mode is not an option, however you do have a number of chooses.

The 1st is to just reuse the cert on the websever. However as it doesn’t include the name of the server it may cause problems elsewhere.

The 2nd is to run a small webserver on each server that redirects to the main one. Then use certbot’s webroot mode

The 3rd is to use the DNS challenge which is easier to do with one of the other clients. GetSSL is often recommended for this.


#5

I tried this:
certbot certonly --standalone --allow-subset-of-names --expand -d xm4.conversity.net -d conversity.net

It generated 2 certificates, installed successfully, but the scores are still F :frowning:

Anything else I can do?

Thanks


#6

That is ignoring the validation failure of conversity.net and generating a cert for xm4.conversity.net only. You’ll need to do one of the things in my previous post to get a useable cert.


#7

Trying getSSL. Getting stuck at below response:

[root@xm4 ~]# ./getssl xm4.conversity.net
no certificate obtained from host
Registering account
Verify each domain
Verifying xm4.conversity.net
Verifying conversity.net
checking DNS at ns29.domaincontrol.com for conversity.net. Attempt 1/100 gave wrong result, waiting 10 secs before checking again
^Cgetssl: Program interrupted by user

When I try manually, I get the values instantly…
[root@xm4 ~]# dig @ns29.domaincontrol.com conversity.net

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> @ns29.domaincontrol.com conversity.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59961
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;conversity.net. IN A

;; ANSWER SECTION:
conversity.net. 600 IN A 188.166.223.107

;; AUTHORITY SECTION:
conversity.net. 3600 IN NS ns30.domaincontrol.com.
conversity.net. 3600 IN NS ns29.domaincontrol.com.

;; Query time: 41 msec
;; SERVER: 216.69.185.15#53(216.69.185.15)
;; WHEN: Sun Jan 01 19:10:52 IST 2017
;; MSG SIZE rcvd: 114

Any ideas how I can get past this one?

Thanks


#8

The error there is because you aborted by pressing Ctrl-C.

It looks as if you are using the DNS check, so you have a script which should be updating the DNS at your domain name registrar (domaincontrol.com) which should add the txt record required for _acme-challenge.conversity.net to your auth nameservers ( ns29.domaincontrol.com and ns30.domaincontrol.com )

The script is checking for the txt record, and will pause for 10 seconds ( by default) before testing again. You aborted it before it had completed this from the above error.

If you want to check it manually you would need to check for the txt record

nslookup -type=txt _acme-challenge.conversity.net ns29.domaincontrol.com

The text record isn’t there, so either you didn’t give it long enough, or the script to update your DNS records with the domaincontrol.com api isn’t correct. I’d need more info ( your debug log) to determine exactly what it was.

If you want to use the HTTP-01 check, rather than the DNS-01 check, you need to change that option in your config.


#9

In the 1st attempt, I aborted the process after 9 failed attempts.
I tried again and since the response was same, I aborted it in 2 attempts and posted here.

This DSN validation has been causing too much pain, I’ve installed a small standalone Python web server & I’ll use web validation. It seems simpler.

ON another note, after many failed attempts, I’m now getting a response:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains: xm4.conversity.net

Looks like I’ll have to wait for 1 week before resuming this exercise unless there is someway around it.

Thanks for the continued support !!


#10

You could have used GetSSL for web validation instead of the DNS-01 challenge just by changing a single variable :wink:

You would be better testing using the staging server - as that doesn’t have the limits on it. Once you have that all set up and working correctly, then change to the live server for a valid certificate.


#11

Setting up the config files of GetSSL was a bit overwhelming for me.
In the past 2 days, I have tried all possible tutorials, online services & scripts which help get LetsEncrypt but no luck.

The sub-domain issue coupled with the DNS validation has really burnt me out. I’m not a server guy so its been a bit of a challenge.

Regarding dry run, yes, learnt the hard way :smile:


#12

Unless you changed the config for GetSSL to go from the staging server to the live server, then all the attempts would have been with the staging server, and hence not hit any limits.

If you wanted specific help on GetSSL that then either raise an issue at https://github.com/srvrco/getssl or email me getssl at serverco.com


#13

Thanks! Will do :slight_smile:


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.