SSL Labs Grade B on nginx

hyperknot · March 9, 2020, 1:25am

I ran this command:

certbot --nginx \
    --preferred-challenges http-01 \
    --no-redirect \
    -n \
    -m ...@gmail.com \
    --agree-tos \
    --cert-name maphub.net \
    -d maphub.net \
    -d tile1.maphub.net

It produced this output:

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: ...

You should test your configuration at:
...
https://www.ssllabs.com/ssltest/analyze.html?d=tile1.maphub.net

My web server is (include version): nginx/1.17.9

The operating system my web server runs on is (include version): Ubuntu 18.04.4

My hosting provider, if applicable, is: own

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

So after the required form, I want to say that everything is good and working perfectly. My only issue is that in SSLLabs I get a B.
https://www.ssllabs.com/ssltest/analyze.html?d=tile1.maphub.net

Should I worry about it?
If so, what do I need to change? The linked options-ssl-nginx.conf config contains the SSL params, and it’s not configurable by me, right?
Can I just wait till it gets fixed by auto-updated certbot, or not?

It says: “This server supports TLS 1.0 and TLS 1.1. Grade capped to B.”

rg305 · March 9, 2020, 3:08am

If it's your server, then everything in it is configurable by you.

I handle all the global settings in the main config file (/etc/nginx/nginx.conf).

So... should you remove TLSv1.0 & 1.1 ?
If you haven't been living under a rock for the past couple of years, then you know they are no longer considered secure and all browsers have been updated to support TLSv1.2 or higher.
I would check the logs for any TLSv1.0 & 1.1 access and go from there.

stevenzhu · March 9, 2020, 5:16am

Hi,

I recently update the Wiki for Nginx ssllab testing, which had a breakdown explaination for each section.

9peppe · March 9, 2020, 9:28am

You should not edit that file, but you can replace it altogheter. (Ie: create a new file in /etc/nginx/snippets)

system · April 8, 2020, 9:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple .conf confusion- SSL Labs Grade B help wanted Help	5	529	August 29, 2021
Setting up jupyterhub with letsenncrypt SSL certs Help	3	874	June 15, 2022
Certbot NGINX - Some challenges have failed Help	7	3075	April 12, 2023
Grade B on Nginx Server	2	2263	December 23, 2015
Nginx (https) virtual host not recognized after running certbot Help	5	872	September 10, 2021

SSL Labs Grade B on nginx

Related topics