Okay. Yeah i have no idea how i can check what my server if offering.
And actually i only want to offer https at this moment, because some html5 options (in for example Chrome) are not working, because you have to use https with that. And i am using the html5 things not for private communication, but public. But now i am anyway busy with it, soprobably i will also use it by default on websites later on.
I also don’t understand why Google is “saying” that https is a ranking factor and all the websites should have it. Some websites only have public information on it. So what’s the advantage of https in that case? The website will be a bit slower and the information is anyway public?
Public or not, a 3-rd party upper case acronym named (ahem PRISM ahem) might find that interesting that Guy X reads about some public info about chemicals for, oh I don’t know, agriculture… 1+1=2 or not
Or think about this, you’re reading a public info book and some random dude on the bus takes notes of your page number, is that nice?
@Licaon_Kter: Thanks for explaining. With that kind of examples it makes more sense.
Is there somewhere some documentation on how to generate DHParams on a local machine?
See the SSL Labs link I provided.
@Osiris: Thanks for adding the link in that post. But i think first i need to finish the install of the certificate before i can run SSL Labs?
I was already running it now, but my plan is anyway to first update the server, because they were saying here that i have a pretty old server (CentOS 5.5). I already had contact with my host about that. But for now i am already practising to install the certificates.
But now it’s an F
This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam). Grade set to F. MORE INFO »
This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. MORE INFO »
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings. MORE INFO »
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO »
The server private key is not strong enough. Grade capped to B.
This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. MORE INFO »
The server does not support Forward Secrecy with the reference browsers. MORE INFO »
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Logjam isn’t your only issue here Good luck with hardening your TLS, it’s actually quite interesting stuff… I’ve read a lot about cipher suits, all the different parts that play a role, how everything works, the connection, handshake, certificates, all very interesting. And with that info you’ll know how to fix your server
Probably when the server is updated there are already less errors, but then i am going to check it again and also after installing letsencrypt. Thanks for your help! I will read and learn about it later on.
Meanwhile i am making progress with letsencrypt. After running:
openssl dhparam -out dhparam.pem 4096
a couple of more times it worked. So i am at the last part of the last step. Doing:
What i don’t understand now is:
In the documentation they are saying:
Copy and paste both the below domain certificate and the below intermediate certificate into the same text file called “chained.pem”.
So in /etc/ssl/certs/ there are only the following files:
But now they want me to link to domain.crt and intermediate.pem
It’s not there, is that no problem or is that a fault in the documentation? What to do now?
I don’t know where your documentation comes from (that gethttpsforfree site again? ), but your certificates are to be found in /etc/letsencrypt/live/yourdomain/ and you’ll need cert.pem (SSLCertificateFile), chain.pem (SSLCertificateChainFile) and privkey.pem (SSLCertificateKeyFile). That’s for the official client ofcourse… Well, that site would have given you your certificate. So it somehow has provided you with domain.crt… It’ll be where you saved it The intermediate you can find at https://letsencrypt.org/certificates You’ll need the IdenTrust cross-signed X1 Intermediate.
Also, I don’t think the ServerName directive should contain the “:443” part.
Slowly i am getting crazy of it ;). I am indeed following https://gethttpsforfree.com/ step by step (exactly), because that’s the only “tutorial” where they make it a little bit understandable for “newbies” as me.
On that website they are not talking about domain.ctr …it’s just coming out of nothing in the last step. They are giving me 2 certificates at the end. The signed one and the intermediate one. They are saying that i have to put the 2 certificates in one file called chained.pem.
And then again at the end they are coming with “/etc/ssl/certs/intermediate.pem” out of nothing. They only said that i had to put that intermediate certicate in the chained.pem file and they did not talk about putting it in intermediate.pem or something??
So about domain.crt they were also not saying anything before, so i saved it nowhere, because there was nothing about it in the documentation of https://gethttpsforfree.com
From the looks of it you actually understand it quite a bit. A additional small hint: the two certificates you’ve received to make the chain.pem… One guess what you can do with those
openssl dhparam -out dhparams.pem_XXXX XXXX
(where XXXX is 2048/3072/4096/6144/...) and at the end concatenate them in a big file and set it up in your config.
@Licaon_Kter: Thanks for letting me know.
@Osiris: Yeah now i know just a little bit of it, because everytime something did not work, i was reading about it. But before i started with it i had to download Putty so that says enough . Probably the documentation at https:// gethttpsforfree .com is not correct. But probably i must put the intermediate certicate in: intermediate.pem And the other certicate in the domain.crt file? Or what do i have to put in the domain.crt file? Becuase just out of logic i would expect that the files of the 2 certicates should have the same extension…
I can not use the website https:// gethttpsforfree .com on this forum, because of some spam or something, but i have nothing to do with that website and that’s the only website with documentation i understand a little bit. I don’t understand it? That kind of websites only can exist, because the documentation of letsencrypt.org itself is not readable for people like me. Otherwise someone would not start a website like that. Why “Letsencrypt” is not seeing that as a sign to change or make their own documentation better or easier to use, instead of seeing me as a spammer? Someone posted the url in this topic and it was pretty usefull for me.
It doesn’t matter how the files are called or what extension they have, as long as you refer to the right file at the right location in your configuration file.
Thanks! So i can put that other certicate in the domain.crt file wihout a problem?
The site would have given you THE certificate for your site. No clue what you mean with “other certificate” exacly… An intermediate certificate is not as important. You can just as well download this from this page. (You’ll need the IdenTrust cross-signed Let’s Encrypt Authority X1 certificate.)
I have no clue how that site would have told you which certificate is which, but if you were smart, you’ve saved every certificate and every file the site gave you somewhere on your drive/server/wherever… Ofcourse you can analyse each certificate subsequently…
openssl x509 -noout -text -in /path/to/certificate/file and you’ll get all the info. Look what comes after the section
X509v3 Subject Alternative Name:. There you’ll find your list of domain names you’ve specified. Or you won’t find it at all if you’re looking at the intermediate Then you’ll see something like
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 and
Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
Yeah i saved everything and every file ;). There are not really 2 certificates, but what i was saying, was coming from:
How to install https on nginx or apache:
1. Copy and paste both the below domain certificate and the below intermediate certificate into the same text file called “chained.pem”.
So actually they are saying 2 certificates (domain and intermediate), so that’s why i also said 2.
Now it’s bedtime in the Netherlands ;), but tomorrow i am going to play with the rest of the things you were saying. For now already thanks for that!
The domain certificate is your certificate as to speak. The important one. The public key it contains is paired with the private key you’ve generated before. And it’s signed with the private RSA key from the intermediate certificate (which is very private, somewhere in a secure place at Let’s Encrypt ;)).
You’ll have to provide clients with both certificates to make a full certificate chain, otherwise clients can and/or will complain and/or give errors about an insecure site. Although the domain certificate is somewhat the most important one, clients will need the public key from the intermediate certificate to verify the domain certificate, as they only have root certificates in their certificate store, not the intermediates.
Thanks! It worked. And thanks for the other explanation.This evening or night i am going to try to finish the last piece. I will let it know here if everything works.
Still busy with it ;). First i have to upgrade the server anyway, because for all my domains i have only one ipaddress and SNI is not supported at the moment. So i can not arrange a certicate for a specific domain.
Already one more question. Do you always have to take action after 3 months to “renew” the certificate or is there already automatically support for it?
You will need to take action ( although you can have an automatic script / cron job take that action for you )