SSLShopper shows my Chain Cert as Let's Encrypt Authority X1 and Not Trusted in All Browsers

#21

Thanks, there is a link to this old thread:

The user certificate store of the Local System account. Curious.

So if IIS runs under a special account, the user certificate store of that account should be checked.

But it’s impossible to do that in a Shared Hosting environment.

1 Like
#22

Ok so it sounds like it’s a problem on GoDaddy’s end with their Windows Deluxe Shared Hosting. I’m sure getting them to do anything about it will be a huge pain in the ass- they really push their SSL package which is expensive and doesn’t even automatically cover a domain with and without www. I didn’t have any problems hosting with them before needing this, but I am hoping to setup a simple shopping cart down the road with something like prestashop (and just accept paypal) so I suspect that will be painful too.

I will still contact their support about it, but does anyone have a better hosting company they can recommend, that actually supports Let’s Encrypt and installations such as Prestashop? Running my own server isn’t an option… my site eats up too much bandwidth from other sites hotlinking, and I doubt Bell would like that seeing as I don’t have a business account (or want one.)

I suppose another option would be switching to CPanel with Linux with them (I only have Windows hosting as originally my husband was thinking he might use it, as he used to code in ASP.Net several years ago.) But I hesitate to send any more business their way after all this mess, and again, suspect setting up a shopping cart myself would be awful, if even possible, on their hosting platforms.

#23

@JuergenAuer, @jmorahan just an update, thank you so much for your help on this!

I ended up contacting GoDaddy by filling out their little “Would you recommend us?” Survey and giving them a 1/10. (I worked as a BA for 17 years at Bell Aliant, so I know that survey results under a certain value get flagged and go to management.)

Sure enough, I was contacted by a senior product manager the next day (haha!)

Anyway it was, as you had mentioned, a problem on the server I was hosting on. They gave me 2 free years of hosting on a different server for finding the bug, (it took them a couple of weeks to deploy the fix on the server I had been on.)

Apparently the reason they don’t have the Let’s Encrypt extensions on Plesk is it conflicts somehow with their certificates, since they are also a certificate authority. I couldn’t tell you if that’s just a bunch of hot air or not though!

He also said that the reason I can’t request a CSR for both www and no www on my domain actually has to do with how Plesk is setup, which isn’t something they can change. This seems odd to me that Plesk would force you to choose only one…he suggested trying to request a wild card CSR in Plesk, which I haven’t done yet. What are your thoughts on the wildcard certs? I was reading that Let’s Encrypt does allow it now, but does it only allow it through CertBot?

My last question for you, is that on SSL Labs, My grade is getting capped at B, with the following message. I want to write to the guy asking him if they are going to upgrading/fixing this on their server soon, but don’t want to sound like an idiot. Would I just word it as such? (As in, are you planning on upgrading the server to support AEAD cipher suites?)

This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B

Your site should use secure cipher suites. AEAD is the only encryption approach without any known weaknesses. The alternative, CBC encryption, is susceptible to timing attacks (as implemented in TLS). AEAD suites provide strong authentication, key exchange, forward secrecy, and encryption of at least 128 bits. TLS 1.3 supports only AEAD suites. SSL Labs doesn’t currently reward the use of AEAD suites. In this grading criteria update we will start requiring AEAD suites for A.

Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them.

Thanks so much for your help on this! The broken chain authority was causing weird issues- Instagram wouldn’t load my website in their App, and Pinterest wouldn’t bring up any images when trying to pin anything from my site either. So I’m really glad it’s working now!

All the best,

Sandra
www.CanadianDragon.com

1 Like
#24

Also thank you @schoen… apparently I’m too new on here, it wouldn’t let me reply to more than two people (see post above) :roll_eyes:

1 Like
#25

Good to hear you got the chain issue sorted!

You can get a wildcard certificate from ZeroSSL. But be warned: the “wildcard” aspect of the certificate covers any subdomain - including www - but not the domain apex itself (the non-www version). So unless Plesk happens to add this automatically when generating a wildcard CSR, it won’t actually help with solving the problem.

If I’m reading Microsoft’s documentation correctly, Windows 2012 should already support some AEAD cipher suites, so the server may just need to be configured to enable them. Specifically the ones that also provide forward secrecy, if you’re aiming for an A grade on SSL Labs. That is, if I’m not mistaken:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • and a couple of others that I think only work with ECDSA certificates, and so are probably not relevant to you.

Upgrading the server would be better still, but from looking at this I’m guessing that’s unlikely to happen any time soon. So maybe just ask if those cipher suites can be enabled, I guess?

#26

I had the same problem (Windows 2012).

Switched to EC-Certificates, that was the solution.

1 Like
#27

Interesting… I was under the impression that those still didn’t have widespread browser support, but now that I try to find any evidence to back up my assumption, I’m coming up blank. If they’re now widely supported, that might indeed be a better solution.

1 Like
#28

I’ve checked the browsers SSLLabs checks. XP wasn’t relevant (there is SSL3 the problem), mobile browser - no problem.

2018-10-18 - I’ve switched to EC 384.

1 Like
#29

Well, that’s good news!

Hmm, but can Plesk generate an EC CSR? I have no idea…

#30

@jmorahan ug go figure the domain apex isn’t included with a wildcarde CSR. I’m not planning on using subdomains so I guess there’s no point in that then. I highly doubt their wildcard CSR includes the domain apex, or else it would when I created one with www.

Right now I’m getting around this with an htaccess file, so hopefully that will do the trick right now. It seems to, but I think it does cause a few errors on SSL Labs.

I doubt they are upgrading their servers, but I’ll ask anyway. Are those specifically the cipher suites they need to activate that you’ve shown above- do you know if they are already available in Windows 2008, and just need to be activated by them? I just want to word things correctly so I don’t sound like an idiot to them, as this is way outside my area of expertise.

@JuergenAuer Regarding EC-Certs, It doesn’t look like Plesk can generate a CSR for them (at least for my hosting), and with the shared hosting, I am limited to creating a CSR through GoDaddy’s platform. I don’t see anywhere there that I can choose such. Otherwise I would just create my own CSR that included the www.domain and domain apex, since that’s one of my complaints.

I’m curious as to exactly how one gets an EC cert though- reading about it, it sounds like it is much superior. So why have all certs not just been switched to this- that must mean Let’s Encrypt certs are RSA?

On average, processing for ECC is about four times less CPU-intensive than for RSA.
EC also tends to provide significantly higher security. A 256-bit EC certificate (the minimum length supported) is roughly equivalent to a 3k RSA cert. Additionally, EC cryptography enables Perfect Forward Secrecy (PFS) with significantly less overhead.

#31

Hmm, somehow I got the idea you were on Windows 2012 :frowning: but yes, those cipher suites should be available on Windows 2008 R2, though perhaps not older versions of Windows 2008. The cipher suites would need to be activated and prioritized so that they’re actually used, and possibly some additional configuration might be needed to ensure that they use appropriate DH parameters, otherwise SSL Labs might still complain.

If you’re talking to support it might be best to mention explicitly that you’re aiming to get an A grade on SSL Labs, as there are any number of ways they could misinterpret anything else you might say and end up doing technically what you asked without actually making your server more secure.

Let’s Encrypt certificates are RSA or EC depending on what kind of CSR you use to request them. Most tools generate RSA CSRs by default, even if they also support EC, for compatibility with older browsers.

This particular aspect of EC cryptography doesn’t actually require an EC cert, and according to SSL Labs it’s enabled on your server already. Unfortunately Windows 2008 doesn’t seem to support any cipher suites combining that with AEAD and RSA :frowning: Neither does Windows 2012, though modern versions of Windows do.

closed #32

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.