SSL Server Test Graded T - how can I improve it?


#1

Server: ubuntu 14.04 / Apache 2.4.18

I have successfully installed letsencrypt (cloning the git repo) and successfully created a few certificates.

All seems fine when testing in various browsers, but if I use the SSL Server Test as advised by the LE client, I get bad grade, like M or sometimes T. Here is an example: https://www.ssllabs.com/ssltest/analyze.html?d=thatsthespir.it

Can you advise me what I can do to get a better grade ?


#2

It appears that your default, non-SNI certificate is a self-signed certificate for “pixeline02”. What happens if you switch the default certificate to a valid one?


#3

WWW subdomain again. Seriously?

ERR_CERT_AUTHORITY_INVALID

Remove WWW from DNS.

This was supposed to be fixed on SSL Labs development server, but even there it shows mismatch. File a bug: https://github.com/ssllabs/ssllabs-scan/issues

Previously: https://github.com/ssllabs/ssllabs-scan/issues/278


#4

Hello @pixeline,

As @selecadm says, seems a bug in sslabs ssltest that is not corrected in prod version, but I’ve checked it against dev version (1.22.7) and your domain gets an A.

To use ssllabs dev version: https://dev.ssllabs.com/ssltest/

You can use another test like this one from htbridge where your domain algo gets an A.

Cheers,
sahsanu


#5

well I have no Idea what M is but T means Trust issue, meaning that there’s a problem with your cert or you are just using self-signed below the T you see the actual result when we ignore trust issues, which is a lot more important because a T-A is way better than a T-F (which probably my router would get because RC4 only and stuff, but I cant test due to non-standard port, and no I cannot do something to change that, only the provider can update those things).


#6

hello @riking and thank you. I’m not sure what exactly is happening there. “pixeline02” is a name I gave to this VPS instance via my hosting provider control panel interface. In which file is it set up? Why is it showing up there? I’m investigating, but if you have any info, I’m all ears, thank you :slightly_smiling:


#7

Thank you. I’ve now set up the www subdomain redirection to non-www.


#8

“M” means hostname mismatch - the name on the certificate is not the name on the domain.