I have just installed a letsencrypt certificate via the server certificate module on my Nethserver 7 (final version).
It seems that it worked fine, i.e. the new certificate is shown in the list of certificates and no errors are shown in the log file. I set the certificate to default.
However, when I browse to my website that I host on Nethserver, firefox shows an error message that the SSL certificate is not secure and gives the following error code to me: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
could it be that the module uses a prime that is not large enough (for the Diffie-Hellman algorithm)? or does Nethserver use another algorithm? And do you have any idea how to fix that problem?
The real reason for that error was that my router from the ISP didn’t forward the port 443… simply a stupid failure in the configuration…!
However, I found on the way towards the solution this guide for making a server much more secure against known SSL attacks: https://weakdh.org/sysadmin.html
I following that guide and disabled SSL3 in addition. And now my server gets a A+ in the SSLtest of ssllabs!
perhaps one could implement it in a future ijrelease of Nethserver!??! Basically it is only a change of the CipherSuites in /etc/httpd/conf.d/ssl.conf and /etc/httpd/admin-conf/httpd.conf and disabling SSL3 in the former:
SSLProtocol all -SSLv2 -SSLv3