I was reading here
If I verify security on
https://www.ssllabs.com/ssltest/analyze.html
of one of my sites using certbot I get rated B because of that
is there a solution?
certbot basically is the implementation of https://letsencrypt.org/ for many systems.
I just ran into the same problem. The core issue is described here: https://weakdh.org/
As I understand it, most web servers start Diffie-Hellman with the same default set of prime numbers, and this was later found to be a security flaw. The fix is to generate new primes for your site's Diffie-Hellman key negotiation. This page has details: https://weakdh.org/sysadmin.html
In short, run openssl dhparam -out dhparams.pem 2048
, and then add the path to the resulting file in your nginx server config block:
ssl_dhparam {path to dhparams.pem};
For example, I put mine in /etc/letsencrypt
, so I ran
sudo openssl dhparam -out /etc/letsencrypt/dhparams.pem 2048
and added
ssl_dhparam /etc/letsencrypt/dhparams.pem;
under the other Certbot config lines in my server block.
After restarting nginx with sudo service nginx restart
I got an A grade on ssllabs.com.
I hope this helps.