How to get 'A' rated cert!?


#1

Hi

My domain is: www.harvestdata.today (this is hosted with Godaddy).
However, I tried to create LetsEncrypt certificate for a Linux server (Amazon Linux2 with Apache httpd). The domain name of the server “web.harvestdata.today” and alias is “www.web.harvestdata.today” note these are FQDN but are just domain and alias of a Linux server!
(At that time DNS entries for these existed in records with Godaddy, I have removed it now)

I ran this command: Do not recollect the command, but both the certificates were produced successfully. I was guided to test the certificates at www.ssllabs.com, which I did.

It produced this output:

web.harvestdata.today received a ‘T’ rating &
www.web.harvestdata.today received a ‘A’ rating !!

My web server is (include version): Apache/2.4.34

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is:

I can log in to a root shell on my machine (yes or no, or I don’t know): Yes, I have access to root.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Not applicable

My QUERY IS:
How can I get an ‘A’ certificate for the domain name assigned to the server?

Thanks


Does Letsencrypt work selinux=enforcing?
#2

We’d need more information to be sure what went wrong.

You have a Let’s Encrypt certificate for both names, so it should have worked without issue.

It’s likely that one of the web server’s virtual hosts was configured to use a different certificate, maybe a default self-signed one.

Can you reenable the server, or post the Apache configuration?


#3

Hi @samraw003

https://web.harvestdata.today/ has a timeout, no connection. This is your T - rating.

So start your https - server.


#4

I think T in the Qualys context means “not trusted”, such as when the certificate name does not match or when there is no path to a trust anchor.

You are right that it’s currently timing out though!


#5

Hi JuergenAuer,

Thanks for kind support.

When I checked the rating on the given url at that time everything was working. As of today I have removed the certificates and reverted to an old snapshot.

Would it help if I re-enable the earlier setup?

Though I do not know how to do that as I have not kept the license files.

Regards


#6

Hi mnordhoff,

Thanks for your kind help.

I have reverted to an older snapshot of the server and have not kept the certificates. Is there any way to re-enable it on the new instance? Or I need to generate new certificates?

Thanks and regards

Sammeer


#7

It’s impossible to find a solution if you remove your https - settings.

You have two certificates created 2018-09-28

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:harvestdata.today&lu=cert_search

with the correct two domain names

web.harvestdata.today
www.web.harvestdata.today

If

the www-version is correct, but the non-www version wrong, that looks like a small configuration error (missing web.harvestdata.today as alias of the www-version to use the same vHost and the same correct certificate).


#8

Hi @JuergenAuer

Thanks again.

So, with the certificates now lost what should I do?

Regards


#9

Then install it again.

PS:

How to get ‘A’ rated cert!

This question is wrong. A certificate has no A-rate. A running https - service can have an A-rate (defined via SSLLabs).


#10

When you say install it again- it means I need to again set it up and apply for a new certificate?

Your point on ‘A’ rated certificate vs a service is noted! :)! I was totally unaware of it, that’s why I removed it in a hurry.

Thanks a ton for your guidance and support!

Regards


#11

If you’ve deleted the cert, then yes, you need to create a new one.


#12

Hi @danb35

Thanks a lot!

Regards


LetsEncrypt certificates across different servers
#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.