SSL Labs Grade B on nginx

My domain is: tile1.maphub.net

I ran this command:

certbot --nginx \
    --preferred-challenges http-01 \
    --no-redirect \
    -n \
    -m ...@gmail.com \
    --agree-tos \
    --cert-name maphub.net \
    -d maphub.net \
    -d tile1.maphub.net

It produced this output:

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: ...

You should test your configuration at:
...
https://www.ssllabs.com/ssltest/analyze.html?d=tile1.maphub.net

My web server is (include version): nginx/1.17.9

The operating system my web server runs on is (include version): Ubuntu 18.04.4

My hosting provider, if applicable, is: own

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


So after the required form, I want to say that everything is good and working perfectly. My only issue is that in SSLLabs I get a B.
https://www.ssllabs.com/ssltest/analyze.html?d=tile1.maphub.net

  1. Should I worry about it?
  2. If so, what do I need to change? The linked options-ssl-nginx.conf config contains the SSL params, and it’s not configurable by me, right?
  3. Can I just wait till it gets fixed by auto-updated certbot, or not?

It says: “This server supports TLS 1.0 and TLS 1.1. Grade capped to B.”

1 Like

If it’s your server, then everything in it is configurable by you.

I handle all the global settings in the main config file (/etc/nginx/nginx.conf).

So… should you remove TLSv1.0 & 1.1 ?
If you haven’t been living under a rock for the past couple of years, then you know they are no longer considered secure and all browsers have been updated to support TLSv1.2 or higher.
I would check the logs for any TLSv1.0 & 1.1 access and go from there.

2 Likes

Hi,

I recently update the Wiki for Nginx ssllab testing, which had a breakdown explaination for each section.

2 Likes

You should not edit that file, but you can replace it altogheter. (Ie: create a new file in /etc/nginx/snippets)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.