Does Letsencrypt work selinux=enforcing?


#1

Hi,

I successfully created the certs but ssllabs cannot authenticate it.

Does selinux=enforcing create an issue? I did not receive any issues though.

Regards


#2

Hi @samraw003

what’s the error ssllabs reported? If your domain is https://web.harvestdata.today/ - there is a timeout, so ssllabs can’t check it.

Certificates are created - two today

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:web.harvestdata.today&lu=cert_search

with the www + non-www domain name.


#3

Hi,

First of all, may I know if there’s any difference between this post & How to get ‘A’ rated cert!?

If so, what’s the difference?

If not, why open another thread?

Thank you


#4

I think that thread has nothing to do with the other one. The other one is how to configure the way your server (apache2, nginx, …) talks to browser, in the ways that ssllabs rate it secure.

This thread is about how improving the security of the server (debian, …) can affect the use of Let’s Encrypt certificates.

Depends.

  1. Does it create an issue for the generation of the certificate ? I think no, but it will depends of which software you used to get the Let’s Encrypt certificate

  2. Does it create an issue for the usage of the certificate ? No more than another certificate.


#5

Emm…
I’m thinking that the OP is still asking the same question due to this portion of the sentence.

I’m not sure though… Waiting for OP’s response.


#6

Hi @JuergenAuer , @stevenzhu, & @tdelmas

Thanks for help.

As @JuergenAuer pointed out, I did create two new certs today for the same domain. the only difference was selinux.

Certs have been created but ssllabs cannot verify same.

What could be the issue?
@stevenzhu, I believe the difference between previous thread and this one is that I did create and verify the certs with ssllabs last time.

Regards


#7

There is a timeout:

https://web.harvestdata.today

Same with

https://www.web.harvestdata.today/

So Ssllabs can’t check your domain.


#8

Hi @JuergenAuer,

er…may I ask… why is this timeout? This was not the issue last time I created the certs!

Regards


#9

Check your server. Or there is a firewall that blocks.

If I can’t load your site via browser, ssllabs can’t check your site.


#10

Hi @JuergenAuer,

Thanks a ton for continued support and guidance.

If you could please check now…it seems t be accessible…however, story is same as last time…web.harvestdata.today has issues whereas www.web.harvestdata.today seems to be fine…

Regards


#11

https://web.harvestdata.today/ has a self signed certificate:

Issuer:

E = root@web.harvestdata.today
CN = web.harvestdata.today
OU = ca-3653660601090501477
O = Unspecified
C = US

https://www.web.harvestdata.today/ is good, has the correct Letsencrypt certificate with two domain names:

DNS-Name: web.harvestdata.today
DNS-Name: www.web.harvestdata.today

So web.harvestdata.today uses a wrong or a default (wrong) configuration.

Perhaps it may be enough if you have an Apache vHost and add an Alias:

    ServerName www.web.harvestdata.today
    ServerAlias web.harvestdata.today

Perhaps you must remove a wrong vHost - configuration (or change the ServerName of this vHost to a non-existent domain name).

If this doesn’t work, share your Apache SSL configuration.

PS: There is no ssllabs - check required. And selinux=enforcing isn’t relevant, it’s a normal configuration problem. Two domain names, one certificate with the same two domain names.


#12

Hi @JuergenAuer,

Thanks a lot … it worked. Now both the urls work on https. Thanks a Ton!..
But… if we type https://web.harvestdata.today it again shows warning about site not being safe. web.harvestdata.today though directs to https://www.web.harvestdata.today/ and works fine!

There is one another issue though… there are a reverse proxy to tomcat (hosted on same server) that has stopped working now…I know this has nothing to do with Letsencrypt certs… but can you please guide me on this as well?

following are the content of a .conf file in conf.d directory:

forward ORDS requests to tomcat

<VirtualHost *:80>
# uncomment the lines below if you plan to serve different domains
# on this web server, don’t forget to change the domain name

# alias for apex image files
Alias "/i" "/var/www/apex/images/"

# uncomment the line below if you want
# to redirect traffic to ORDS from root path
# RedirectMatch permanent "^/$" "/ords"

# proxy ORDS requests to tomcat
ProxyRequests off
<Location "/ords">
    ProxyPass "ajp://localhost:8009/ords/"
    ProxyPassReverse "ajp://localhost:8009/ords/"
</Location>

Regards


#13

As written there

there is a self signed certificate, you have to change that.

If this doesn’t work, share your Apache SSL configuration.


#14

Hi @JuergenAuer,

Thanks for pointing out Apache SSL configurations… I could locate it and fix the issue.

I am ever so grateful for your help and guidance.

Have a great day!

Regards


#15

Yep, happy to see that - https://web.harvestdata.today/ is now correct with a Letsencrypt-certificate with two domain names:

DNS-Name: web.harvestdata.today
DNS-Name: www.web.harvestdata.today

#16

Hi @JuergenAuer,

Thanks for reconfirming same.

Can you please point me to a direction to fix reverse proxy issue with https ? I will try my best to fix that as well.

Thanks and regards


#17

I don’t see a problem with your reverse proxy. And I don’t see how I could test something.

But if you add https, you should add a https - reverse proxy.

The http - proxy can’t work if there is a https - connection.

So your proxy should use the same certificate.


#18

hi @JuergenAuer,

Thanks for your inputs… will try to fix it…

Regards

Sammeer


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.