alexalouit
commented
8 years ago Default ISPConfig Apache template does not support the SSLCertificateChainFile directive. I'm looking for solution that does not override original template.
Closed blue-hound closed 8 years ago
alexalouit
commented
8 years ago Default ISPConfig Apache template does not support the SSLCertificateChainFile directive. I'm looking for solution that does not override original template.
alexalouit
commented
8 years ago use fullchain instead chain do the trick? (see 599d73b54549d808e3d05c3a98c4729d942edd5f)
WKnak
commented
8 years ago confirmed.. I was able to validate on SSLLabs "A" by including manually these directives:
see here: https://community.letsencrypt.org/t/solved-beta-no-trusted-certificate/2674/25
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
ServerSignature Off
SSLCertificateFile /etc/letsencrypt/live/[domain]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[domain]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[domain]/chain.pemIs the Chain property the same as the Bundle?
blue-hound
commented
8 years ago With SSLCACertificateFile pointed to my chain.pem file via symlink I get an A on SSL Labs. So that seems to work.
blue-hound
commented
8 years ago I asked about the difference between the two directives on the Lets Encrypt forum and got this response: https://community.letsencrypt.org/t/apache-directives/5879
Not sure what happens if we point the SSLCACertificateFile to the fullchain.pem file.
alexalouit
commented
8 years ago See 3d4bfa4de298331405f79a05863509968df35a75.
blue-hound
commented
8 years ago I am not sure if I am confusing the issue further or not. According to the LE docs for their client the SSLCertificateChainFile directive should point to chain.pem. It goes on to say that the fullchain.pem file is for nginx. I have asked for further direction on the LE Community website on the use of SSLCACertificateFile to see if we can point at that.
According to GoDaddy (not the best source I'm sure) the directives used depends on if you are using Apache 2.8.4+ or not. Apparently if you are <2.8.4 (as I am) you should use SSLCertificateChainFile but if you are 2.8.4+ then SSLCertificateChainFile is deprecated according to http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile
https://ca.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238
blue-hound
commented
8 years ago I have upgrade to Apache 2.4.12. I can confirm that pointing the bundle file to chain.pem gives me an A- on the SSL Labs site. In this version of Apache, pointing SSLCertificateFile to fullchain.pem and commenting out SSLCACertificate also provides an A-.
I'll try out the new patch and see how it goes.
Thanks!
Quality SSL Labs returns the following when testing a LetsEncrypt certified domain with the current ISPConfig plugin.
This server's certificate chain is incomplete. Grade capped to B.Adding SSLCertificateChainFile directive to the virtual host file and pointing it to the chain.pem file generated by the LE client solves this issue.