How do I change forward secrecy?


#1

Hey, I would like to - as a experiment - hit a 100% score on the Dutch Internet.nl test but the only problem I run into into is the following:

The “forward secrecy" settings are unsafe: 

'DH-1024'

How can I fix this? I am running Vesta CP with a script that automatically updates the certificates and symlimks them to their correct directories. This is the command line:

#Set the command that should be used to run the letsencrypt tool
#Include any arguments that should be used by default
#(arguments shouldn't be necessary if using /etc/letsencrypt/cli.ini)
#The -m (mail) and -d (domain) options will be added automatically
LETSENCRYPT_COMMAND='/usr/local/letsencrypt/letsencrypt-auto
    -t --renew-by-default --agree-tos --webroot -w /etc/letsencrypt/webroot
    --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096'

I added --rsa-key-size 4096 but that didn’t seem to make any change.

Any ideas?


#2

The Diffie-Hellman parameters are part of the server configuration, not anything to do with the key size.
You need to generate 2048 bit params with OpenSSL
openssl dhparam -out dhparams.pem 2048
Then change the server config to use them, which depends on if you’re using apache or nginx.