is there way to force it generate for TLS1.0? I could live with that while I update the client problem to support TLS1.2
The cert can be used with any TLS version. It is just your server ciphers that need changing and you can do that manually.
But, I also want to note your www
subdomain CNAMEs to the root domain. That's fine of course but the cert being used for https://fsairlines.net
will fail client validation as it does not have its own name in the cert.
The TLS version has nothing to do with the certificate. You control that in your server configuration.
Good to know, I reverted the change I did give www its own cert.
I checked the apache config and it looks like everthing except SSLv2 is active.
Its curious that it worked fine for over 3 weeks then the problem started after the certificate was renewed.
But it's NOT.
Please show the config.
From mods-available/ssl.conf
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol all -SSLv3
In the VirtualHost you might have something like:
Include /etc/letsencrypt/options-ssl-apache.conf
If so, what is in that conf file?
cat /etc/letsencrypt/options-ssl-apache.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
That would definitely stifle Win7.
But I'm still not sure what us in use...
Please show:
sudo apachectl -t -D DUMP_VHOSTS
I replaced those two parameters from what was in the old server and now it works. This will be fine for now, its no less secure than the old server. Thanks for your help.
sudo apachectl -t -D DUMP_VHOSTS
sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta-le-ssl.conf:2)
port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta-le-ssl.conf:2)
alias beta.fsairlines.net
port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-fsa5-le-ssl.conf:2)
alias fsa5.fsairlines.net
port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net-le-ssl.conf:2)
alias fsairlines.net
alias www.fsairlines.net
port 443 namevhost remote.fsairlines.net (/etc/apache2/sites-enabled/000-fsa-remote-le-ssl.conf:2)
port 443 namevhost fsairlines.net (/etc/apache2/sites-enabled/000-fsa-www-le-ssl.conf:2)
alias www.fsairlines.org
*:80 is a NameVirtualHost
default server localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta.conf:1)
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-beta.conf:1)
alias beta.fsairlines.net
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-fsa5.conf:1)
alias fsa5.fsairlines.net
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net.conf:1)
alias fsairlines.net
alias www.fsairlines.net
port 80 namevhost remote.fsairlines.net (/etc/apache2/sites-enabled/000-fsa-remote.conf:1)
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-www.conf:1)
alias fsairlines.org
alias www.fsairlines.org
The new values in /etc/letsencrypt/options-ssl-apache.conf
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
You have multiple name:port
overlaps:
port 443 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net-le-ssl.conf:2)
alias fsairlines.net
alias www.fsairlines.net
port 443 namevhost fsairlines.net (/etc/apache2/sites-enabled/000-fsa-www-le-ssl.conf:2)
alias www.fsairlines.org
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-net.conf:1)
alias fsairlines.net
alias www.fsairlines.net
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-fsa-www.conf:1)
alias fsairlines.org
alias www.fsairlines.org
You have multiple
name:port
overlaps:
Thanks for pointing that out, I will fix that. Could it have contributed to this problem?
hmm...
If the vhosts are using different settings [files].
The new values in /etc/letsencrypt/options-ssl-apache.conf
You shouldn't edit that file.
It's better if you make a copy and edit the
include /etc/letsencrypt/options-ssl-apache.conf
line to point to your copy. (remove the "managed by certbot" comment )
It's better if you make a copy and edit the
include /etc/letsencrypt/options-ssl-apache.conf
I have done that. The new parametes in the copy of options-ssl-apache.conf are:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
And at this point all is working as it should, Thanks everyone for your help.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.