Clients on windows 7 not able to connect after certbot upgrade

Issuance Tech
21

is there way to force it generate for TLS1.0? I could live with that while I update the client problem to support TLS1.2

22

The cert can be used with any TLS version. It is just your server ciphers that need changing and you can do that manually.

But, I also want to note your www subdomain CNAMEs to the root domain. That's fine of course but the cert being used for https://fsairlines.net will fail client validation as it does not have its own name in the cert.

4 Likes
23

The TLS version has nothing to do with the certificate. You control that in your server configuration.

5 Likes
24

Good to know, I reverted the change I did give www its own cert.

25

I checked the apache config and it looks like everthing except SSLv2 is active.
Its curious that it worked fine for over 3 weeks then the problem started after the certificate was renewed.

26

But it's NOT.
Please show the config.

2 Likes
27

From mods-available/ssl.conf

#   The protocols to enable.
#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
#   SSL v2  is no longer supported
SSLProtocol all -SSLv3
28

In the VirtualHost you might have something like:

Include /etc/letsencrypt/options-ssl-apache.conf

If so, what is in that conf file?

2 Likes
29

cat /etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
30

That would definitely stifle Win7.

But I'm still not sure what us in use...
Please show:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes
31

I replaced those two parameters from what was in the old server and now it works. This will be fine for now, its no less secure than the old server. Thanks for your help.

1 Like
32 
sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta-le-ssl.conf:2)
         port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta-le-ssl.conf:2)
                 alias beta.fsairlines.net
         port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-fsa5-le-ssl.conf:2)
                 alias fsa5.fsairlines.net
         port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net-le-ssl.conf:2)
                 alias fsairlines.net
                 alias www.fsairlines.net
         port 443 namevhost remote.fsairlines.net (/etc/apache2/sites-enabled/000-fsa-remote-le-ssl.conf:2)
         port 443 namevhost fsairlines.net (/etc/apache2/sites-enabled/000-fsa-www-le-ssl.conf:2)
                 alias www.fsairlines.org
*:80                   is a NameVirtualHost
         default server localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta.conf:1)
         port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta.conf:1)
                 alias beta.fsairlines.net
         port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-fsa5.conf:1)
                 alias fsa5.fsairlines.net
         port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net.conf:1)
                 alias fsairlines.net
                 alias www.fsairlines.net
         port 80 namevhost remote.fsairlines.net (/etc/apache2/sites-enabled/000-fsa-remote.conf:1)
         port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-www.conf:1)
                 alias fsairlines.org
                 alias www.fsairlines.org

The new values in /etc/letsencrypt/options-ssl-apache.conf

> SSLProtocol             all -SSLv2 -SSLv3
> SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
33

You have multiple name:port overlaps:

port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net-le-ssl.conf:2)
             alias fsairlines.net
             alias www.fsairlines.net
port 443 namevhost fsairlines.net (/etc/apache2/sites-enabled/000-fsa-www-le-ssl.conf:2)
             alias www.fsairlines.org

port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net.conf:1)
            alias fsairlines.net
            alias www.fsairlines.net
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-www.conf:1)
            alias fsairlines.org
            alias www.fsairlines.org
3 Likes
34

Thanks for pointing that out, I will fix that. Could it have contributed to this problem?

1 Like
35

hmm...
If the vhosts are using different settings [files].

4 Likes
36

@joefremont, please choose a post as "the solution"

2 Likes
37

You shouldn't edit that file.

It's better if you make a copy and edit the

include /etc/letsencrypt/options-ssl-apache.conf

line to point to your copy. (remove the "managed by certbot" comment :wink: )

5 Likes
38

I have done that. The new parametes in the copy of options-ssl-apache.conf are:

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

And at this point all is working as it should, Thanks everyone for your help.

4 Likes
39

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.