Welcome to Centmin Mod Community
Register Now

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    36,009
    7,897
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,177
    Local Time:
    12:08 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Those are normal as and deprecated clients which modern ssl certs won't support so can be ignored. Modern secure ssl ciphers won't be able to support those clients anymore unfortunately. WinXP users can somewhat if they use latest Firefox browser instead of IE8.
     
  2. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    11:08 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    A competitor site loads on the browser when my site doesn't. The only difference according to the SSL checking site is that their site uses weaker ciphers. They use the same Letsencrypt certificate.
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,009
    7,897
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,177
    Local Time:
    12:08 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah that is a choice though for weaker ciphers. If you that then edit nginx ssl domain.com.ssl.conf vhost comment out existing ssl_ciphers line and add a new one for
    Code (Text):
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    

    restart nginx
     
  4. Jon Snow

    Jon Snow Active Member

    374
    60
    28
    Jun 30, 2017
    Ratings:
    +90
    Local Time:
    11:08 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    That worked. What is the downside of doing this? Weaker doesn't mean better but just want technical details >.<
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,009
    7,897
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,177
    Local Time:
    12:08 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Basically your site is less secure for your site i.e. leaking private encrypted data/cookies so attackers could log into your sites etc and less secure for visitors visiting your site. Though your visitors using such outdated clients/OS, are already insecure.

    ssllabs/research

    i.e. RC4 ciphers It is official: RC4 is broken. CVE-2015-2808 | Qualys Community

    Deprecating the RC4 Cipher

    RC4 NOMORE

     
    • Like Like x 1
    • Informative Informative x 1
..