Getting B-Grade when I test the Lets-encyrpt certificate on https://www.ssllabs.com/ssltest/

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:drmanishjoshi.com

I ran this command: went to website https://www.ssllabs.com/ssltest/ , provided my domain and tested for SSL.

It produced this output: the https://www.ssllabs.com/ssltest/ website tested my SSL and marked it as B-Grade.

My web server is (include version): apache latest

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

The SSLLabs test isn't a test purely for the certificate. It mostly checks your webserver configuration. A problem with the cert wouldn't affect the grade with the exception of a very low grade when the certificate isn't trusted.

It also clearly states why you're getting a grade B. Did you read the notices?

Hi Osiris,

I just now checked the notices.......and below are my observations....

1. Looks like the SSL test was B rated because my server is supporting TLS version < 1.2
   Even though the notice also states that server is also support TLS 1.2, 1.3, still it marked it as B grade. Do you know how to disable support for TLS VERSION < than1.2

2. My cert is issued from Lets Encrypt, however on the SSL test report it states that Cloudflare has issued the certificate. I use the free version of Cloudflare CDN but dont remember configuring any SSL cert of cloud flare. Could you know why this is happening?

Best Regards,
Girish

Welcome to the Let's Encrypt Community, Girish

When you use Cloudflare, your visitors connect to Cloudflare's network (not your server), which serves Cloudflare's certificate to your visitors. Cloudflare then connects to your server, which serves a certificate to Cloudflare. If you use Cloudflare's Full SSL option, your server can serve Cloudflare a self-signed certificate (not recommended). If you use Cloudflare's Full (strict) SSL option, your server must serve Cloudflare either a Cloudflare Origin CA certificate or a certificate issued by a trusted CA (like Let's Encrypt). I highly recommend using a Cloudflare Origin CA certificate because it lasts much longer than a Let's Encrypt certificate and is very easy to manage through Cloudflare.

https://support.cloudflare.com/hc/en-us/articles/360024787372-End-to-end-HTTPS-with-Cloudflare-Part-1-conceptual-overview

https://support.cloudflare.com/hc/en-us/articles/115000479507

For Cloudflare:

Use the following link and set to TLSv1.2 or TLSv1.3:
https://dash.cloudflare.com/redirect?zone=ssl-tls/edge-certificates

For your server:

Open /etc/letsencrypt/options-ssl-apache.conf with a text editor using root (for example: sudo nano /etc/letsencrypt/options-ssl-apache.conf). Modify according to the following then reload apache. You may have some of the directives cited below in multiple configuration files, so be sure to check.

SSLEngine on

# Comment out the existing line:
# SSLProtocol all -SSLv2 -SSLv3
# Add a new line:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#Comment out the existing line:
# SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 .....
# Add a new line:
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES

SSLHonorCipherOrder on
SSLCompression off

there is an article here on some of the good configs for Apache2

Note: there is a balance between making a secure server and making a server that clients can connect to.

One of the things to check once you update your configs as above is the client support.

Otherwise you may spend a lot of hours troubleshooting why your customers can't access your site

Note also: TLS 1.1 and older ptorocols are being phased out (google tls 1.1 end of life)

Thanks You All for your help and advise.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.