Letsencrypt certificate produces SSL error

I have just installed a letsencrypt certificate via the server certificate module on my Nethserver 7 (final version).
It seems that it worked fine, i.e. the new certificate is shown in the list of certificates and no errors are shown in the log file. I set the certificate to default.

However, when I browse to my website that I host on Nethserver, firefox shows an error message that the SSL certificate is not secure and gives the following error code to me: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
could it be that the module uses a prime that is not large enough (for the Diffie-Hellman algorithm)? or does Nethserver use another algorithm? And do you have any idea how to fix that problem?

You may try to increase apache (httpd) security.

2 Likes

thanks!!! I will try it tomorrow… :wink:

1 Like

The real reason for that error was that my router from the ISP didn’t forward the port 443… simply a stupid failure in the configuration…! :wink:

However, I found on the way towards the solution this guide for making a server much more secure against known SSL attacks: https://weakdh.org/sysadmin.html
I following that guide and disabled SSL3 in addition. And now my server gets a A+ in the SSLtest of ssllabs!
perhaps one could implement it in a future ijrelease of Nethserver!??! Basically it is only a change of the CipherSuites in /etc/httpd/conf.d/ssl.conf and /etc/httpd/admin-conf/httpd.conf and disabling SSL3 in the former:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

1 Like

I have just created a new topic for discussing this feature: More secure SSL CipherSuites