After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com
Related
My nginx confid files looks like:
server {
listen 80;
listen [::]:80;
server_name hostserver.ru www.hostserver.ru;
return 301 https://hostserver.ru$request_uri;
server_tokens off;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hostserver.ru www.hostserver.ru;
ssl_certificate /etc/letsencrypt/live/hostserver.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostserver.ru/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/html;
index index.html index.htm;
server_tokens off;
... some location stuff...
}
Ufortunatelly, TLS1.2 not supported by Android 4.0-4.3 and I've chanched config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
But after using SSLTest it shows me report that TLS1 and TLS1.1 are not supported.
Did I missed smth to change in config files?
Thanks in advance.
UPDATE: I've checked certificates by command:
openssl s_client -tls1 (and so on) -connect example.org:443 < /dev/null
and certificate enabled for each protocol.
I don't know which ciphers work with TLSv1 and TLSv1.1. But I notice from testing sites with SSLTest, that the GCM ciphers are listed against TLSv1.2 only.
You may need to use a more inclusive list of ciphers.
For example:
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
I am web developer using nginx 1.6.2 ver using openssl 1.0.2h
I manage a lot of domains.
And very interested in security.
So My default nginx ssl setting is right here.
default.conf
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/SSL/***.crt;
ssl_certificate_key /etc/nginx/SSL/***.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location ~ {
root /etc/nginx/html;
index index.php;
return 470;
include /etc/nginx/sites-enabled/error_config;
}
}
as you can see, I used only ssl_protocols TLSv1, TLSv1.1, TLSv1.2
and I want to one of domains, getssltest.ga
Want to use only TLSv 1.1 & TLSv 1.2
But I tried to change virtual host configure file any way.
However, just adding 'ssl_protocols TLSv1.1 TLSv1.2;' doesn't validate.
like above this.
server {
listen 443;
server_name getssltest.ga www.getssltest.ga;
ssl_protocols TLSv1.1 TLSv1.2;
ssl on;
ssl_certificate **;
ssl_certificate_key **;
include /etc/nginx/sites-enabled/ssl_config;
proxy_http_version 1.1;
I can not find the way. ( I could check the protocols in here https://www.ssllabs.com/ssltest/analyze.html?d=getssltest.ga)
How can I override ssl_protocol to one of my virtual hosts?
Thx.
You can look it into documentation http://nginx.org/en/docs/http/configuring_https_servers.html, configuration should be how that:
server {
listen 443 ssl;
server_name getssltest.ga www.getssltest.ga;
ssl_certificate *;
ssl_certificate_key *;
ssl_protocols TLSv1.1 TLSv1.2;
...
}
This was working prior to nginx/1.11.4 and update to Ubuntu 16.04 (and it was on 1.11.x before). There are two sites configured to use SSL on a virtual IP (libvirt). When that didn't work (somehow it always landed on the first config alphabetically with SSL), I changed it to use two different virtual IPs and changed libvirt routing two real IPs to 192.168.122.10 and the other to 192.168.122.11, respectively. Now it's simply giving a handshake failure.
server {
listen 192.168.122.11:443 ssl http2;
server_name www.domain2.org domain2.org;
access_log /var/log/nginx/domains/domain2.org.log;
error_log /var/log/nginx/domains/domain2.org.err;
root /app/domain2.org/html;
ssl on;
ssl_certificate /etc/nginx/ssl/domain2.org.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.org.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
include /etc/nginx/include/php.conf;
include /etc/nginx/include/restrictions.conf;
}
server {
listen 192.168.122.10:443 ssl http2;
server_name domain1.com www.domain1.com *.domain1.com;
access_log /var/log/nginx/domains/domain1.com.log;
error_log /var/log/nginx/domains/domain1.com.err;
root /app/domain1.com/html;
ssl_certificate /etc/nginx/ssl/domain1.cert;
ssl_certificate_key /etc/nginx/ssl/domain1.pkey;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
include /etc/nginx/include/restrictions.conf;
include /etc/nginx/include/php.conf;
}
This is just the standard nginx from nginx.org packaging, and yes it has SNI. I have no idea why this would suddenly stop working.
root#production:/etc/nginx/conf.d# nginx -V
nginx version: nginx/1.11.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips 1 Mar 2016 (running with OpenSSL 1.0.2g 1 Mar 2016)
TLS SNI support enabled
I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.
Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per
http://www.digicert.com/ssl-certificate-installation-nginx.htm
However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.
If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.
Below is my virtual host configuration regarding SSL:
server {
listen 80;
listen 443 ssl;
server_name host02.website.com *.website.com;
root /spacedata/website.com;
index index.php index.html /;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
ssl_certificate_key /etc/pki/tls/certs/private.key;
...
}
I confirm that I installed the right Cert and Private Keys.
Bear in mind that I run the AlphaSSL Wildcard certificate.
I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.
I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file.
You need to include all intermediate CA certs in this file, and have them in the right order.
All I had to do was reverse the order of the certs within that file, and my problem was solved.
Your server cert should be on top, then simply go down the CA chain.
PS. My config looks like:
listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
SSLlabs still show the following message even after i added the ssl_session_cache
Session resumption (caching) No (IDs assigned but not accepted)
Here is my full configuration
server {
listen 443 spdy; #Change to 443 when SSL is on
ssl on;
ssl_certificate /etc/ssl/domain.com_bundle.crt;
ssl_certificate_key /etc/ssl/domain.com.key.nopass;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/trustchain.crt;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#rest config goes here
}
SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server.
The problem could be that you don't have SSL session caching enabled on the default server. To enable it, you just need to add that ssl_session_cache line to your default_server. Alternatively, if you'd like that configuration the work across all of your nginx virtual servers (which I would recommend), you could move the ssl_session_cache line outside of the server declaration, so it applies to all of them.
Here's the configuration I use:
# All your server-wide SSL configuration
# Enable SSL session caching for improved performance
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:ssl_session_cache:10m;
server {
# All your normal virtual server configuration
}
Sources:
I tested both options on my own server and SSL Labs loves it!
This thread on the Nginx mailing list
when you use one server, it be correct. If you have load balance before servers, it may be like this. Because of request can not transmit to same server before. I suggest ssl_session_tickets.