Check if my server is compatilble in Lets Encrypt cert


#1

Can you please help me to check if my server is compatible in Lets Encrypt SSL cert. Here’s my server type:

Apache/2.4.18 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_fcgid/2.3.9

Thanks in advance!


#2

The answer is yes! I’ve a similar system (except it’s FreeBSD) and it’s working perfectly.

Keep in mind that you don’t have to use the official client. Let’s Encrypt is primarily a CA, and the service isn’t tied solely to its client. There are plenty of third party clients to choose from that may suit your situation better than the official one.

I’m using the official client (via ports) but it does require a hell of a lot of additional python libraries. You may be happier with a pure shell client instead.

Oh, and once you’ve generated your certificates, don’t use cert.pem in Apache! Since Apache 2.4.7 (I think) you should point the sslcert directive to fullchain.pem and simply don’t use the sslchain directive. When you use cert.pem in Apache 2.4.18 (even if you point the sslchain directive to fullchain.pem) you’ll intermittently get “verifier unknown” errors.

Good luck!


#3

Thanks DarkSteve!

Can you please help me to create steps on how to install the ssl certificate using fullchain.pem to my server?


#4

I found the Mozilla SSL Generator very handy. When I set it to Apache 2.4.18 and OpenSSL 1.0.1e, it provides the following snippets to incorporate into your Apache conf files:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

On a fresh Apache install, the conf files should be well commented and it will be pretty obvious where the above sections fit in. I also did a bit of reading on Wikipedia and elsewhere to make sure I understood whether I wanted HSTS and OCSP Stapling (I did) and what impact they’d have.

Keep in mind the ssl.conf will contain the default ssl settings which can be overridden with the contents of the http-vhosts.conf file. If you have different settings in those two files, the http-vhosts.conf will generally take precedence. I say this because it took me way longer than it should have to realise why my site was still using an old self-signed cert instead of my new Let’s Encrypt cert!

Lastly, Mozilla’s Cipher Suite is quite good and doesn’t contain any ciphers with known vulnerabilities or weaknesses, however the ownCloud mobile app couldn’t connect using it. I had no issues with any browser or application on any platform except for that one Android mobile app. If you get an “SSL Initialisation Failure” error, it may be your ciphers, not your certificates! Just add a cipher the app can use and you’re good to go. (Again, it took way longer than it should have for me to work that out :stuck_out_tongue_winking_eye:)


#5

Oh, did you see this? It’s a few months old, but it might help frame the process in your mind a little clearer. Of course you don’t have to use the official client, but if you do, the guide refers to https://github.com/letsencrypt/letsencrypt which is outdated.

Just substitute in https://github.com/certbot/certbot (since that’s what the official client recently changed it’s name to).


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.