what edits would you make to it?
I'd add whatever can [as secure as possible] allow those Win7 "release 117" clients to connect.
2 Likes
Thanks. The Win7 clients connect without issue. It's the latest release 117 that is causing the handshake issues. I guess I'll look into updating OpenSSL.
1 Like
Ok replacing "Win7" with "release 117".
2 Likes
Hey @cbad
Have you managed to solve your issue ?
Edit: I just accessed your url and it's still down 
I'm in a similar boat. Have a few websites that are not loading on Chrome.
1 Like
I have not. It sounds like I need to upgrade OpenSSL on this server, but I haven't found the best way to go about it since it is a fairly old setup.
1 Like
Edited because I think this is wrong
We've found another potential workaround:
This only seems to affect RSA certificates, so switching to ECDSA will help because it was never used in conjunction with SHA-1.
6 Likes
You could always download and compile it from source code.
3 Likes
This sounds like the ideal solution. My problem is I don't use certbot, so I don't have a command line to specify the key-type. I use a Docker implemention that I believe may run certbot inside the container. It uses the linuxserver/swag:1.20.0 image (I can provide full docker-compose file if helpful).
Sorry, got cut off. Anyway, the docs say you add the key-type to a config to have it apply to all new and renewed certs. It seems worth trying.
But my other problem is my cert doesn't expire until mid-December, and with what I use now I can't renew it until the day before it expires. So I need to revoke a cert and then create a new one I guess. But I'm unsure how to go about revoking.
I have to be careful, since this is only affecting Chrome 117 (which is pretty huge) but other browsers still allow people to connect.
As always, thank you!
1 Like
The other thread has some disagreement about whether the key type actually matters. However, revoking won't help anything; it's only for when a certificate shouldn't be used anymore. If you want to change key types to see if it impacts anything, you just need to get the new certificate, not revoke anything.
5 Likes
Another thought on this since Certbot says it won't work on my server (Ubunto 14.10). Is there a way to use Certbot on another computer to generate the certs/keys and then manually install them on my server? That is what I'm currently doing with my Docker solution, but Certbot is so better supported I'd rather use it.
Sure. Why not? They are just files. You can even automate the whole process from issuance to distribution, which is certainly preferable to doing it manually.
4 Likes
Why are you still on such an old version?
Have you tried/considered using acme.sh?
4 Likes
I have multiple applications on the same server with the same SSL certificate. Only one application is throwing this error and when i enable Allow SHA-1 server signatures in TLS flag it is working fine. But other applications are working fine without this flag also.
If it is the same server and same SSL certificate, how this situation is possible? Anyone have any idea?
@rajeshwarg Please start a new thread in the Help category. You will be shown a form with info we need to help you. Thanks
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.