you mean:
“cat /tmp/lets-encrypt-x1-cross-signed.pem >> /etc/letsencrypt/live/anzahcloud.de/cert.pem”
then my apache crash
Ok, what about specifying the original cert in Apache and using the solution in the topic linked above?
sorry dont understand what you mean
cat /tmp/lets-encrypt-x1-cross-signed.pem >> /etc/letsencrypt/live/anzahcloud.de/cert.pem has modified your cert in /etc/letsencrypt/live/anzahcloud.de/cert.pem. So you should either:
- restore a backup,
- delete the LE X1 cert (separated by
-----BEGIN/END CERTIFICATE-----) blocks from your cert; it should be the most bottom such block - just re-get the cert (re-run
letsencrypt)
I was referring to this solution: add SSLCertificateChainFile /etc/letsencrypt/lets-encrypt-x1-cross-signed.pem (or similar) to your Apache conf.
1 Like
i know, i have rollback the /etc/letsencrypt/live/anzahcloud.de/cert.pem, thats not the problem, it was only a information;
ok i have write it in my conf and now i have a valid cert, only the ssl test is confused “Prefix handling Not valid for “www.anzahcloud.de” CONFUSING”
<IfModule mod_ssl.c>
<VirtualHost 176.9.90.67:443>
ServerName anzahcloud.de
ServerAdmin tealk@anzahcraft.de
DocumentRoot /var/www/owncloud/
<Directory /var/www/owncloud/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Satisfy Any
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
ServerSignature Off
SSLCertificateFile /etc/letsencrypt/live/anzahcloud.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/anzahcloud.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/lets-encrypt-x1-cross-signed.pem
</VirtualHost>
</IfModule>Did you run letsencrypt with -d anzahcloud.de -d www.anzahcloud.de for this certificate?
1 Like
no only with -d anzahcloud.de
Well, try it with both domains specified - should yield a SAN cert.
ok looks like it run, and i only need 1 apache.conf for www.anzahcloud.de and anzahcloud.de is included?
Yeah, if your cert includes both www and non-www, one apache config file will do the thing.
I recommend you read this if you want to configure strong SSL: https://books.google.com/books?id=fQOLBAAAQBAJ&lpg=PA317&ots=sFfqVNEdG4&dq=Bulletproof%20SSL%20and%20TLS%20download&hl=fr&pg=PA477#v=onepage&q&f=false
Also, https://cipherli.st/ might be useful later if you need to configure SSL over Dovecot, postfix, or other.
1 Like