Grade F on SSLLabs from Certbot

My domain is: https://www.noob.software

I ran this command: Ran certbot for XAMPP on Ubuntu that is: ```
sudo certbot --apache-ctl /opt/lampp/bin/apachectl


It produced this output: I got a grade F on SSL Labs

My web server is (include version): Latest XAMPP on ubuntu

The operating system my web server runs on is: Latest Ubuntu Server (20.04)

I'm hosting the website on my own machine, can SSH into it.

The version of my client is: certbot 0.40.0 

Output of ssllabs:

Subject 	localhost
Fingerprint SHA256: 9de541b039cfdb96c7810df49efd958b28cc2df73e314f67c1a91469a2b19796
Pin SHA256: JwhS2EGwOU9bh6s4LJZAsHEauA6aBJm8zJlwpoQy1xU=
Common names 	localhost
Alternative names 	-   INVALID
Serial Number 	00
Valid from 	Fri, 01 Oct 2004 09:10:30 UTC
Valid until 	Thu, 30 Sep 2010 09:10:30 UTC (expired 9 years and 10 months ago)   EXPIRED
Key 	RSA 1024 bits (e 65537)   WEAK
Weak key (Debian) 	No
Issuer 	localhost   Self-signed
Signature algorithm 	MD5withRSA   INSECURE
Extended Validation 	No
Certificate Transparency 	No
OCSP Must Staple 	No
Revocation information 	None
DNS CAA 	No (more info)
Trusted 	No   NOT TRUSTED (Why?)

I want to understand why Certbot gave me a weak key and insecure signature aglorithm. Also how can i change the common names/alternative names?

Firefox also says the signature is expired but certbot says it isn't.

Any help is appreciated.
2 Likes

Hi @siggi

there is a ~~10 years expired (2010-09-30) certificate with MD5 as hash installed.

That’s not something Certbot has installed.

Your output of the Certbot command is required, not the - expected - result from Ssllabs.

2 Likes

This is the output from the command " sudo certbot --apache-ctl /opt/lampp/bin/apachectl" :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: www.noob.software


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.noob.software.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.


Congratulations! You have successfully enabled https://www.noob.software

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.noob.software


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.noob.software/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.noob.software/privkey.pem
    Your cert will expire on 2020-10-31. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

I had already installed certbot to the built-in apache on ubuntu before i installed the XAMPP way. So i assumed that that was the reason certbot prompted me to reinstall or renew or replace.

If i run this command : sudo certbot renew --rsa-key-size 4096

i get this output:


Processing /etc/letsencrypt/renewal/www.noob.software.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.noob.software/fullchain.pem expires on 2020-10-31 (skipped)
No renewals were attempted.

1 Like

Then Certbot doesn’t understand your configuration, you may have different Apaches or there is another problem.

What says

/opt/lampp/bin/apachectl -S
2 Likes

AH00112: Warning: DocumentRoot [/opt/lampp/docs/dummy-host.example.com] does not exist
AH00112: Warning: DocumentRoot [/opt/lampp/docs/dummy-host2.example.com] does not exist
VirtualHost configuration:
*:80 is a NameVirtualHost
default server dummy-host.example.com (/opt/lampp/etc/extra/httpd-vhosts.conf:23)
port 80 namevhost dummy-host.example.com (/opt/lampp/etc/extra/httpd-vhosts.conf:23)
alias www.dummy-host.example.com
port 80 namevhost dummy-host2.example.com (/opt/lampp/etc/extra/httpd-vhosts.conf:32)
ServerRoot: “/opt/lampp”
Main DocumentRoot: “/opt/lampp/htdocs”
Main ErrorLog: “/opt/lampp/logs/error_log”
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/opt/lampp/logs/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: “/opt/lampp/logs/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
User: name=“daemon” id=1 not_used
Group: name=“daemon” id=1 not_used

1 Like

Please: You see, that’s not the Apache Certbot sees.

There is no matching vHost.

This

Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

exists, but isn’t used.

If you use an own configuration, you have to tell Certbot all details.

Read

to create the correct Certbot command. Looks like there are much more parameters required.

2 Likes

@siggi!
https://www.ssllabs.com/ssltest/analyze.html?d=www.noob.software
GRADE A!!
Good Job
Rip

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.