VPS - cipher suite for XP - ‘Forbidden’


#1

Very recently I upgraded my Bluehost account to a VPS and am coming up the learning curve. Eventually I will figure out how to install and use the LE client but for now I generated a certificate using https://gethttpsforfree.com/ and installed it using the WHM interface.

I then looked at the following test page with Firefox and saw a green padlock. Sweet. https://findmesar.com/test/911-wireless-location-accuracy.html

Then I ran the page through ssllabs which complained that my cipher suite included RC4. So using WHM I went to Apache Configuration ==> SSL Cipher Suite and saw 2 choices. The first choice is hardcoded and the second choice is in an edit box and thus can be changed.

The cipher suite in the edit box was selected. OK, time for me to ’fess up that I am using XP SP3. (Will upgrade to win 10 this fall).

Rats! I must have been asleep. I forgot to save the initial cipher suite that was in that edit box before I replaced it with something else in an attempt to nuke RC4. Dumb!

Now every cipher suite I try in that edit box results in a “forbidden” message when I try to view my test page with Forefox or Chrome. And of course I neglected to save the original cipher suite (gives self swift kick).

  1. When I installed the LE certificate did that process write a cipher suite into that edit box and, if so, what is that suite?

  2. Is it necessary to reinstall the certificate after changing the cipher suite and restarting apache?

  3. Can a bad cipher suite be the cause of the “forbidden” message I see when I try to look at my test page?


#2

Welcome to the learning curve, watch you’re footing! :wink:

The most practical source of cipher suites I know of is Mozilla’s SSL Configuration Generator. It will provide you with a “modern” set of ciphers for when you upgrade, as well as an “old” set that will work with XP. Keep in mind, XP is very old, one and a half decades old, so you may have to make a trade-off between security and compatibility.

  1. The certificate is a separate thing to the ciphers. The cert will work with just about any cipher suite you throw at it. Think of them as independent.

  2. It is not necessary to reinstall the certificate. At least, it shouldn’t be. I haven’t seen a setup yet that would require it.

  3. Possibly, but unlikely. Forbidden usually means permissions are incorrectly set in the file system or the web server is pointing to the wrong place.

If anyone else can correct me or improve on what I said, please do!

Good luck Jelf, I’ve been where you are and it gets easier!


#3

Solved.

This problem only affected domains for which I had installed a ssl certificate.

Solution was to use WHM and go to:
Home »Service Configuration »Apache Configuration »Global Configuration
I scrolled down on that page and checked FollowSymLinks.
Then I restarted apache.
Fixed things right up.


#4

Ah, excellent. Glad you got it sorted.

Yes, the official client creates an archive folder and a live folder. As you renew, the archive records all your past certificates (cert1.pem, cert2.pem, etc) while the live folder has a symbolic link to the latest/current cert.

It never occurred to me that symlinks wouldn’t be followed, that would’ve taken me forever to find! :stuck_out_tongue_winking_eye: