Koozali.org: home of the SME Server

New Certificate Yields a "Signature algorithm SHA1withRSA INSECURE" error

Offline ttech

  • 8
  • +0/-0
Hi Everyone. 
  I have regenerated the self-signed certificate recently following the "How to simply recreate the certificate for SME Server" section of "useful commands" document.  A ssllabs.com test indicates that an insecure "RSA 2048 bits (SHA1withRSA) Signature algorithm" was used.  The cert fingerprint AND pin captured by the report both start with "sha256: xxxxetc...".  Puzzling!  I have a few small domains on the server that rely on that same cert for https sites/email.  No complaints from browsers and email clients though (they work except untrusted due to being self-signed). I use the openVPN contrib for remote access also (with some openVPN certs in addition).
  Is there an obvious setting or interaction between the self-signed and openVPN certs that I missed? Would following the 'useful commands' procedure delete any old sha1 certs?  The certs were automatically recreated annually up to now before I checked the server.  Is one / all openVPN certs the cause (sha1?)? Does that contrib use the sha1 algorithm? I am not a guru.
  I have used and upgraded + updated (current) this server since the v7 era. After resolving this issue, I hope to install Letsencrypt and retire the self-signed cert.
  Thanks in advance for any input!