Learn about Centmin Mod LEMP Stack today
Become a Member

SSL Comodo SSL cert from gogetssl still signed with SHA-1 ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by nVidian, May 21, 2015.

  1. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
    Hi all, I bought 2 Comodo SSL (Postive & Essential) from gogetssl, they both got warning from Chrome.

    Create key from their key generator with SHA-2 checked. Install SSL cert and FIrefox showed no error.

    Then I checked with Chrome it had warning "site uses weak signature SHA-1 .... so your connection may not be private"

    Checked with shaaaaaaaaaaaaa.com - although at the top there is "Nice ... bla..bla.. has a verifiable certificate chain signed with SHA-2." but it also shows
    "SSL certificates are signed using a one-way hash — usually SHA-1.
    Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2."


    Also checked with SSL Server Test (Powered by Qualys SSL Labs) got B rating. it showed like this:
    Funnily, I even checked gogetssl site itself with shaaaaaaaaaaaaa.com (SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates. and it said
    I already asked gogetssl to clarify this, they denied and prove with www.sslshopper.com/ssl-checker shows no error. But when I looked at the bottom at the page:
    So, does my SSL cert signed with SHA-1 or SHA-2 ? Any opinion what should I do ?

    Thanks.
     
    Last edited: May 21, 2015
  2. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
    Seriously, about shaaaaaaaaaaaaa.com , which infomation is correct ?
    At the top it said
    But it also showed
    So according to shaaaaaaaaaaaaa.com - Does the SSL cert signed with SHA-1 or SHA-2 ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
  5. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    could be a separate warning regarding your SSL cert and not CA root ? only way is if you post the actual ssllabs test run result from SSL Server Test (Powered by Qualys SSL Labs)
     
  6. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
    Hi George this is the screenshot from ssllabs:
    [​IMG]
     
    Last edited: May 21, 2015
  7. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's just root CA sha1 so should be fine, unless something changed in Chrome's warnings, screenshot for Chrome ?
     
  8. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
    Here's chrome warning screenshot:
    [​IMG]
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's your ssl cipher preference order i think as yours says AES_128_GCM and uses RSA as key exchange mechanism as opposed to

    upload_2015-5-22_0-28-53.png

    what OS and chrome browser you're viewing site from ? as Chrome from ssllabs browser list should negotiate with ECDHE_RSA key exchange mechanism not RSA

    post your site's nginx domain.com.conf vhost config file with full ssl settings and make sure the ssl ciphers are from the updated guide at Nginx HTTPS / SSL Google SPDY configuration

    also setup your dhparam file as per Nginx HTTPS / SSL Google SPDY configuration
     
  10. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
    I view the site from:
    OS: Windows 7 SP1
    Chrome Version 43.0.2357.65 m

    The site itself is on ispconfig panel that I used for mail server only. This is the vhost file:
    Code:
    server {
            listen *:80;
    
            listen *:443 ssl;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_certificate /var/www/clients/client1/web1/ssl/mydomain.tld.crt;
            ssl_certificate_key /var/www/clients/client1/web1/ssl/mydomain.tld.key;
    
            server_name mydomain.tld www.mydomain.tld;
    
            root   /var/www/mydomain.tld/web;
    
        if ($scheme != "https") {
            rewrite ^ https://mydomain.tld$request_uri? permanent;
        }
    
            if ($http_host = "www.mydomain.tld") {
                rewrite ^ $scheme://mydomain.tld$request_uri? permanent;
            }
    
       
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_page 400 /error/400.html;
            error_page 401 /error/401.html;
            error_page 403 /error/403.html;
            error_page 404 /error/404.html;
            error_page 405 /error/405.html;
            error_page 500 /error/500.html;
            error_page 502 /error/502.html;
            error_page 503 /error/503.html;
            recursive_error_pages on;
            location = /error/400.html {
    
                internal;
            }
            location = /error/401.html {
    
                internal;
            }
            location = /error/403.html {
    
                internal;
            }
            location = /error/404.html {
    
                internal;
            }
            location = /error/405.html {
    
                internal;
            }
            location = /error/500.html {
    
                internal;
            }
            location = /error/502.html {
    
                internal;
            }
            location = /error/503.html {
    
                internal;
            }
    
            error_log /var/log/ispconfig/httpd/mydomain.tld/error.log;
            access_log /var/log/ispconfig/httpd/mydomain.tld/access.log combined;
    
            location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web1/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
                try_files /084a51ae04f2848ed7818a703a05971c.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    }
    
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,340
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    there's ya problem it ain't Centmin Mod Nginx SPDY/3.1 SSL setup ;) As such you're on your own for the rest - Nginx HTTPS / SSL Google SPDY configuration has clues for ssl cipher list order preferences to use etc and dhparam still applies just directories/paths with differ as you aren't using Centmin Mod.
     
  12. nVidian

    nVidian Member

    97
    8
    8
    Mar 16, 2015
    Ratings:
    +31
    Local Time:
    11:01 PM
    1.7.9
    5.5
    I understand its not centminmod. I'll report later if I have SSL problem on my centminmod setup.
     
  13. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    11:01 PM
    1.9.2
    MariaDB 10
    Hi,
    if you're using PositiveSSL, just remove weak ROOT CA from bundle, here is my current CA bundle for Comodo Positive SSL:
    Code:
    https://gist.github.com/jemekite/829fbc59b68fb0a702e8
    also add this to your nginx config
    Code:
    ssl_trusted_certificate /etc/ssl/certs/PositiveSSL.ca-bundle;
    [​IMG]