How to improve SSL labs grade and automate renewal?


#1

I am developing a website on https://cabulb.xyz/, my hosting provider is on https://www.hostinger.co.uk/. My provider runs Apache/2.4 and PHP 5.5

Currently I am using a PHP acme client to issue and renew certificates for my domain (https://github.com/kelunik/acme-client/), it’s pretty simple so far, the only downside is I don’t know how to automate the process so I have to ssh and run these commands once every 3 months or so:

cd public_html/acme-client
bin/acme issue --domains cabulb.xyz --path /home/u233484638/public_html --server letsencrypt

then I copy my cert.pem and key manually to update them on my cpanel.

I recently found out about SSL labs and received a B grade (https://www.ssllabs.com/ssltest/analyze.html?d=cabulb.xyz&hideResults=on) for my domain, this is causing some issues with plugins I use that utilises wp cdn, I need to improve the grade to A in order for them to work correctly. How do I do this through the acme client I have? If possible can I automate the process? (I have access to cron jobs)

Note I have limited knowledge of how SSL works beyond knowing what certificates, keys and CA are, so any explanation is appreciated!

edit: I noticed I am getting

Chain issues Incomplete

on SSL labs, was this caused by deleting older certificates on the cpanel and how do I fix it?


#2

I’ve never heard that before.
Nevertheless, to improve your SSLLabs grade you need to include the intermediate cert with the public cert.
Or just use the fullchain.pem instead of the cert.pem file.
You may also want to drop all the WEAK ciphers.


#3

Thanks rg305 for the quick solution, I fixed the incomplete chain problem now and received a grade A. I think this should be good enough. How do I drop all weak ciphers?


#4

Hi,

I don’t think you can define server ciphers if you are only cPanel user not a admin.

I believe if you use their plan (but not Business), you can only upload cPanel to certificate manually.
Business seems to have free TLS Certificate.

Thank you


#5

Ok then, I only have a standard plan on hostinger so I will stick to uploading the certificate and key manually, but is it possible to automate the renewal process with a cron job for example?


My web host does not support Let's Encrypt, but says I can install manually via cPanel... help!
#6

The easiest way to automate renewal with CPanels that don’t support Let’s Encrypt is to use the acme.sh CPanel UAPI integration:

https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel


#7

Huh, maybe we should write a cPanel installer plugin in Certbot using this method! (Although I fear that its existence might trick some users into not using the built-in cPanel Let’s Encrypt support that they have.) acme.sh really pioneers a lot of great features.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.