Getting B-Grade when I test the Lets-encyrpt certificate on https://www.ssllabs.com/ssltest/

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:drmanishjoshi.com

I ran this command: went to website https://www.ssllabs.com/ssltest/ , provided my domain and tested for SSL.

It produced this output: the https://www.ssllabs.com/ssltest/ website tested my SSL and marked it as B-Grade.

My web server is (include version): apache latest

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

2 Likes

The SSLLabs test isn't a test purely for the certificate. It mostly checks your webserver configuration. A problem with the cert wouldn't affect the grade with the exception of a very low grade when the certificate isn't trusted.

It also clearly states why you're getting a grade B. Did you read the notices?

3 Likes

Hi Osiris,

I just now checked the notices.......and below are my observations....

  1. Looks like the SSL test was B rated because my server is supporting TLS version < 1.2
    Even though the notice also states that server is also support TLS 1.2, 1.3, still it marked it as B grade. Do you know how to disable support for TLS VERSION < than1.2

  2. My cert is issued from Lets Encrypt, however on the SSL test report it states that Cloudflare has issued the certificate. I use the free version of Cloudflare CDN but dont remember configuring any SSL cert of cloud flare. Could you know why this is happening?

Best Regards,
Girish

3 Likes

Welcome to the Let's Encrypt Community, Girish :slightly_smiling_face:

When you use Cloudflare, your visitors connect to Cloudflare's network (not your server), which serves Cloudflare's certificate to your visitors. Cloudflare then connects to your server, which serves a certificate to Cloudflare. If you use Cloudflare's Full SSL option, your server can serve Cloudflare a self-signed certificate (not recommended). If you use Cloudflare's Full (strict) SSL option, your server must serve Cloudflare either a Cloudflare Origin CA certificate or a certificate issued by a trusted CA (like Let's Encrypt). I highly recommend using a Cloudflare Origin CA certificate because it lasts much longer than a Let's Encrypt certificate and is very easy to manage through Cloudflare.


For Cloudflare:

Use the following link and set to TLSv1.2 or TLSv1.3:
https://dash.cloudflare.com/redirect?zone=ssl-tls/edge-certificates

For your server:

Open /etc/letsencrypt/options-ssl-apache.conf with a text editor using root (for example: sudo nano /etc/letsencrypt/options-ssl-apache.conf). Modify according to the following then reload apache. You may have some of the directives cited below in multiple configuration files, so be sure to check.

SSLEngine on

# Comment out the existing line:
# SSLProtocol all -SSLv2 -SSLv3
# Add a new line:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#Comment out the existing line:
# SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 .....
# Add a new line:
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES

SSLHonorCipherOrder on
SSLCompression off
2 Likes

there is an article here on some of the good configs for Apache2

Note: there is a balance between making a secure server and making a server that clients can connect to.

One of the things to check once you update your configs as above is the client support.

Otherwise you may spend a lot of hours troubleshooting why your customers can't access your site

Note also: TLS 1.1 and older ptorocols are being phased out (google tls 1.1 end of life)

2 Likes

Thanks You All for your help and advise.

3 Likes