[SOLVED] Unverified SSL (Nginx)


#1

Hi,

I have my own server (no panel) and use Nginx + dhparam etc.

I got my new .pem

Congratulations! Your certificate has been saved at
/xxx/xxx/cert.pem and will expire
on 2016-01-21. To obtain a new version of the certificate in the
future, simply run Let’s Encrypt again.

But I can’t figure out how to use it with dhparam. Here’s my actual ssl.conf

###
# SSL Settings
###
ssl_protocols              TLSv1.2;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256$
ssl_prefer_server_ciphers  on;

ssl_session_cache    shared:SSL:3m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout  12h;

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;

Any kind help would be appreciated :smile:

Thanks!


Does the LE client also care for the Diffie Hellman keys?
#2

The Diffie-Hellman parameters should be entirely independent of the certificate; if you have an existing dhparam.pem that is valid, you shouldn’t need to change it. You should only need to change the ssl_certificate and ssl_certificate_key lines to refer to the location of the certificate and key that were provided by the Let’s Encrypt software.


#3

Well my prob is I got an error using those certs.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

xxx.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

(Error code: sec_error_unknown_issuer)

Yes, there is about HSTS I’ll have to manage too but I also think FF (41.0.2 Linux) doesn’t trust the issuer.


#4

Did you change those values? Should be something like /etc/letsencrypt/live/www.example.com/fullchain.pem and /etc/letsencrypt/live/www.example.com/privkey.pem.


#5

Yep it’s okay. Its seems I’m a bit tired (…) my only prob is HSTS.


#6

What’s the problem with HSTS?


#7

I didn’t change max-age. It’s now okay.

BTW strange joke about the issuer name…

But it’s seems to be all good: https://tls.imirhil.fr/https/upandclear.org

Thanks for help guys! And thanks for Let’s Encrypt :smile:


#8

Your certificate isn’t trusted, you’re probably using the wrong Let’s Encrypt server if you have been whitelisted.


#9

Yeah, I received my BETA email. How do I select another server?

I updated this way ssl_certificate /etc/letsencrypt/live/upandclear.org/fullchain.pem;
BUt it doesn’t seem to change anyhting.

Mybad, it’s ok… I didn’t used the provided server.