Hi everybody
I run debian stable and apache 2.2 . After certificates renew something went wrong and i'm actually stucked to get key pinning back to work and acess my site .
that's what i have in my vhost configuration:
# SSL Stapling
SSLUseStapling on
SSLStaplingReturnResponderErrors off
SSLStaplingResponderTimeout 5
this is in ssl.conf
SSLUseStapling On
SSLStaplingReturnResponderErrors off
SSLStaplingResponderTimeout 5
SSLStaplingFakeTryLater on
SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(256000)"
SSLSessionCache "shmcb:${APACHE_RUN_DIR}/ssl_session_cache(1024000)
SSLOCSPEnable on
SSLOCSPResponseMaxAge 900
SSLOCSPResponseTimeSkew 300
This the actual Public-Key-Pins header in etc/apache2/conf-enabled/security.conf is:
Header always set Public-Key-Pins: pin-sha256="z/Xe4Trd7UXr4XchpALhN6NF8TVhWF2aYpcG/L1XgLg="; pin-sha256="foCPjKncmc49lKun2CkK+GOrlq8GTyVIb7T6mHRkQ+4="; max-age=604800"
The first pin was taken from Let's Encrypt Authority X3 chain.pem using this command:
Tests on sslabs globalsign.ssllabs gave A+ for my server.
i don't see errors or warnings and i cannot access my site by firefox or chrome (midori does)
Hope i can get help on this.
Good night
tcpreset.net loads fine for me in both Chrome and Firefox.
What is the precise SSL error you are getting? This is the NET::ERR string shown by Google Chrome in small gray text, or the Technical Details section shown by Firefox.
Usually Chrome and Firefox automatically work around this misconfiguration, which is why I didn’t notice it at first, but it is probably the cause of your issue.
You can add a name to your existing certificate with the --expand option, e.g.:
Hi,
At the time of writing my laptop which runs Linux Mint 18.3 Sylvia has chromium giving this error NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
Firefox right now started working again.
Maybe the pinning was done incorrectly before and your browser has the old pin cached?
Can you reproduce the issue with a fresh profile? (You can use Chromium’s multiple users feature, a new Linux user account, or just mv ~/.config/chromium ~/.config/chromium.backup)
Please speak about which files they were pinned from.
ALSO...
SSLLABS shows these two:
pin-sha256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
pin-sha256: foCPjKncmc49lKun2CkK+GOrlq8GTyVIb7T6mHRkQ+4=
Which don't match/include the new cert pin:
pin-sha256: z/Xe4Trd7UXr4XchpALhN6NF8TVhWF2aYpcG/L1XgLg=
On a positive note...
I like that the site has:
HSTS CAA
4096 RSA cert
TLSv1.2 only
HPKP (temp misconfigured)
Where you could make some quick and effective improvements:
Add ECDSA 384 cert support and prefer that over the RSA cert
Include CHACHA20-POLY1305 cipher (for both certs)
order the default "Supported Named Groups" (curves) from best to worst (for Apache try: SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409r1:sect409k1:secp384r1:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1:sect283r1:sect283k1:secp256k1:prime256v1)