certbot using weak diffie hellman encryption
I was reading here
If I verify security on
https://www.ssllabs.com/ssltest/analyze.html
of one of my sites using certbot I get rated B because of that
is there a solution?
certbot basically is the implementation of https://letsencrypt.org/ for many systems.
I just ran into the same problem. The core issue is described here: https://weakdh.org/
As I understand it, most web servers start Diffie-Hellman with the same default set of prime numbers, and this was later found to be a security flaw. The fix is to generate new primes for your site's Diffie-Hellman key negotiation. This page has details: https://weakdh.org/sysadmin.html
In short, run openssl dhparam -out dhparams.pem 2048, and then add the path to the resulting file in your nginx server config block:
ssl_dhparam {path to dhparams.pem};
For example, I put mine in /etc/letsencrypt, so I ran
sudo openssl dhparam -out /etc/letsencrypt/dhparams.pem 2048
and added
ssl_dhparam /etc/letsencrypt/dhparams.pem;
under the other Certbot config lines in my server block.
After restarting nginx with sudo service nginx restart I got an A grade on ssllabs.com.
I hope this helps.
- How to import a zscaler certificate into Git
- ERR_CERT_REVOKED only on Smartphones (connection is not secure)
- curl: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate
- Unable to find valid certification path to requested target - error even after cert imported
- Puppet after 5 years, when certificates expire?
- Certificate Rebind in IIS 10 using powershell
- Python - requests.exceptions.SSLError - dh key too small
- SSL error unsafe legacy renegotiation disabled
- "SSL certificate verify failed" using pip to install packages
- Spring 5 WebClient using ssl
- Gitlab doesn't loads new ssl cert and key
- Jetty Invalid SNI issue even when certificate is correct
- SSL on JBOSS AS 7
- "aborting due to insecure configuration" while configuring TLS on Rust rocket server
- How to wrap net.Conn.Read() in Golang
- " An operation was attempted on something that is not a socket" when I try to add SSL authentication
- Error Importing SSL certificate : Not an X.509 Certificate
- SSL verification error at depth 0: unable to get local issuer certificate (20)
- Keycloak SSL setup using docker image
- Make OpenSSL accept expired certificates
- .NET Framework equivalent of IApplicationBuilder.UseForwardedHeaders()
- Setting up SSL on a local xampp/apache server
- Problem when installing Python from source, SSL package missing even though openssl installed
- NGINX to reverse proxy websockets AND enable SSL (wss://)?
- Is it safe sharing Self-signed certificate to other persons?
- curl - Is data encrypted when using the --insecure option?
- SSL certificate installation on Wildfly server
- Enable SSL for my WCF service
- Gracefully Shutdown TLS connection in C OpenSSL
- Google Chrome localhost | NET::ERR_CERT_AUTHORITY_INVALID