So great work on the concept itself. IMHO everybody running a website now a days needs to feel safe and secure in doing so.
To the point: I have everything up and running and get the green padlock on my website showing me it;s working. I used this generator (https://gethttpsforfree.com/) to get it all working and almost everything works like a charm.
Issue1 nvexx.nl -> when I click the green padlock on my website it’s telling me that it’s using an old cipher? How ever bluehost itself shows me (putty) that they do support all ciphers ( openssl ciphers -v “SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:RC4-SHA:RC4-MD5:ALL” )
shows me: SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details: ERROR: cannot verify nvexx.nl’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1’: Unable to locally verify the issuer’s authority.
I hope someone can point me in the right direction. Like I said the site does show the padlock and gives the all green/go in chrome. It’s just the two verification websites show me something is wrong somewhere.
EDIT1
running openssl s_client -connect ww*.nvexx.nl:443
shows several error’s (stripped www from below because of spam protection?)
CONNECTED(00000003)
depth=0 CN = ww*.nvexx.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ww*.nvexx.nl
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = ww*.nvexx.nl
verify error:num=21:unable to verify the first certificate
verify return:1
Hi tlussnig, I don’t have chain or pem files. Bluehost has a TLS/SSl manager that takes care of it all. I just entered the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- parts and the crt files get generated for me. So to complete the chain I need to copy&paste both into 1 crt ?
EDIT1: so in short I can’t make a chained crt myself as I can only make 1 crt file at a time. Trying to chain them into one crt file can’t be done from the control panel. I can how ever do it via ftp
When you created your certificate using gethttpsforfree, at the end, you saw two certificates, Signed Certificate that is the certificate for your domain(s) and Intermediate Certificate that is the certificate for Let’s Encrypt CA.
If your hosting company doesn’t specify a field to upload the CA cert, then you should upload both of them using the cert field, so you need to concatenate your cert file and after that, the let’s encrypt ca certificate and you will get this:
I followed the instructions. The problem is I can’t upload it like above. If i enter it like this (chained) it only picks one like it cut’s off at the -----END CERTIFICATE----- part.
I can how ever change it via FTP and alter the CRT to contain both.
To make things clear my host does support uploading a crt / copy&pasting the above but only 1 part at a time. I can try to make my own crt file with both certificates in it to try and upload it as one.
Ill get back on this asap. Thanks for the responce/help
EDIT1:
So I just tried to make a new crt file www.nvexx.nl.crt with the above code. Yet it cuts off at the first -----END CERTIFICATE----- So it doesn’t get the 2nd part from lets encrypt (Intermediate Certificate)
EDIT2:
The main problem I’m facing is that I can’t access the webserver config.
<VirtualHost default:443>
ServerName foo.com:443
ServerAlias www.foo.com
DocumentRoot /var/www/foo.com/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
SSLProtocol all -SSLv2 -SSLv3
SSlCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
SSLHonorCipherOrder on
<Directory /var/www/foo.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
So, your hosting doesn’t allow to upload a chained cert, your hosting doesn’t allow to upload your domain cert plus an intermediate cert, your hosting doesn’t allow to change your site web config… maybe you should try to find a new hosting company.
Did you contact your hosting provider to know what is the right procedure to upload a cert and the intermediate cert?. If the answer you get from them is “you can’t” then, please, move your site to another hosting provider.
My hosting does allow to upload my domain cert
My hosting does allow to upload the intermediate cert
My hosting does “Not” allow me to upload/enter a chained cert
Then I can’t see the problem, if your hosting allows to upload the cert and the intermediate cert there should be no problem at all, you don’t need to upload a chained cert.
I’m lost as well. All i can see is that https://www.ssllabs.com/ssltest/analyze.html?d=nvexx.nl
Still shows the chain is broken. Bluehost has installed the crt for me now but looking at the ftp it’s the same setup only difference is that the SSL/TLS manager produced the following files for me:
Seems that when the random part of the file name disappears is because your hosting included it in your apache conf so they didn’t process the Intermediate Cert yet.
In apache 2.2 and apache 2.4 (till version 2.4.8) they should use these directives to configure your certs:
From Apache 2.4.8, SSLCertificateChainFile directive is deprecated (you can still use it if you want but will dissapear in future versions) so you need to put the cert and the intermediate cert concatenated in the same cert using directive SSLCertificateFile:
Since you have no control about this config, the only thing you can do is wait for your hosting support answer because they are the only ones to config your site properly.
is the naming setup they use. Just spend another 45 minutes on live chat with them and they managed to fix it. Green locker on mobile / desktop and no more broken chain.
Thanks for taking the time to explain. I gave them a link to your page/answer maybe it helped in making things more clear for them while I was chatting with support.
To get A+ you need to add HSTS header in apache, something like this:
Header always set Strict-Transport-Security "max-age=17280000"
But as I said, this is something that should be configured in apache and don’t know if you can do that without the support of bluehost. By the way, keep in mind that setting this header, the first time a browser reach your https site, next time it will try to connect directly to https:// version, even if in the bar of browser it specifies http:// so maybe is something that you don’t like.
I already have it enabled (just now) via the htaccess with
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
</IfModule>
For HSTS Preloading to work I have to get added to the list maintained by chrome? The way I have setup the websites, also for clients everything will be https://www.*domain
using https:// is the future and most secure so i won’t be going back to http:// at all.
Only other thing I can think of is the “Cipher Strength” as when I click on the green locker on my website/domain it tells me an old/depricated Cipher is used?
I was planning on a short how to but this is a great start https://gethttpsforfree.com/ <- I used this setup/generator to get the certificates.
In esence it comes down to renaming the domain.crt and intermediate.pem to
www.*yourdomain.com.crt <- domain.crt
www.*yourdomain.com.cabundle <- intermediate.pem
And putting them in the /ssl/certs folder via FTP
In the bluehost CPanel you can use the SSL/TLS Manager for
Private Keys (KEY) Generate, view, upload, or delete your private keys.
This is good. Thanks for the quick reply. I’ve been down this path before so even this short answer is good for me I’m typing in the info for https://gethttpsforfree.com/ now.
I signed my own certificate a while back (I’m cheap) so I’m looking forward to swapping it out for one that doesn’t give scary messages to my visitors
Keep in mind that to get A+ the max-age should be at least 180 days (15552000), you used 10886400 (120 days) so you won't get A+.
Yes, you should add it to the list, but check carefully the requirements.[quote="KillerSneak, post:15, topic:7643"]
Only other thing I can think of is the "Cipher Strength" as when I click on the green locker on my website/domain it tells me an old/depricated Cipher is used?
[/quote]
I see that your site still has SSL2 activated but doesn't offer any cipher for it, strange. Anyway, you should modify the cipher list offered by apache, in this page you will get conf examples for differents web servers, versions and the type of cipher suite you want (modern, intermediate & old).
Hi, I am also a Bluehost user and am attempting to setup SSL on my site. How did you get the public key? I can not find it in cPanel and it gives me an error via SSH.
OpenSSL> rsa -in account.key -pubout
Error opening Private Key account.key
140100725749576:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('account.key','r')
140100725749576:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
error in rsa
Any help would be much appreciated…
Update:
I reached out to BlueHost and they said that they do not provide a Public key, but https://gethttpsforfree.com/ does now allow you to proceed with only a Certificate Signing Request. How did you bypass this?
I’m typing in the info for