Help with Certbot renewal & plugins


#41

where I see cert life,?

also cerbot certificate is it a comment or some file


#43

I don’t see one. But your configuration isn’t good:


Domainname Http-Status redirect Sec. G
http://vorman.mooo.com/
148.75.65.185 302 http://vorman.mooo.com/index.php/login 0.506 D
http://vorman.mooo.com/index.php/login 200 0.637 H
https://vorman.mooo.com/
148.75.65.185 302 https://vorman.mooo.com/index.php/login 6.486 A
https://vorman.mooo.com/index.php/login 200 2.660 A

You have a redirect to your login page. But the login page uses http, which is bad.

So http -> https, then / -> login.


#44

root@vorman:~/lets# certbot certificates

bash: certbot: command not found


#45

Sorry!
certbot-auto certificates
LOL


#46

please show , confused


#47

Check it

Your browser may cache the https status, so you can’t use your browser to test such things.

But a new user doesn’t use https if there is no redirect.


#48

thanks let me write this down lol. and how I renewed. next time be easier for me. appreciate the help


#49

Just use:
certbot-auto
or
certbot-auto renew

Which can be called from a cron job (twice a day is the recommendation).
It will only actually renew when less than 30 days are left.


#50

this is still French to me, sorry , how I fix it ?


#51

The config doesn’t force HTTP to HTTPS.
So anyone going to http://vorman.mooo.com/
gets this:
wget http://vorman.mooo.com/
–2018-12-08 11:01:22-- http://vorman.mooo.com/
Resolving vorman.mooo.com (vorman.mooo.com)… 148.75.65.185
Connecting to vorman.mooo.com (vorman.mooo.com)|148.75.65.185|:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://vorman.mooo.com/index.php/login [following]
–2018-12-08 11:01:23-- http://vorman.mooo.com/index.php/login
Reusing existing connection to vorman.mooo.com:80.
HTTP request sent, awaiting response… 200 OK

Instead of:
https://vorman.mooo.com/index.php/login


#52

I understand this part but where in the file I fix it ? and how


#53

From example #1 at: https://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps
This will redirect ALL http connections to https.
Add to your LIGHTTPD config (and restart web service):

$HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

#54

Now you have a Grade B, this is ok. Your users are redirected to https, so you don’t have http anymore.

Adding HSTS (to get a Grade A) - wait some time.

If HSTS is set and the certificate is expired, the user can’t create an exception. So the page would be blocked.

So HSTS (+ preload) is a wonderful security feature. But it requires always valide certificates and a working renew function.


#55

The server preferred cipher suite order needs some proper re-ordering (in strongest to weakest order):


#56

I’m not SslLabs. This is my own check because I don’t want to test all these things manual.

Before, the site had Grade H - no https, now B.


#57

I hit the max limit of replies in one day yesterday ,

Thanks a lot to you and @rg305. Very helpful