Topic: Lets encrypt Unsafe TLS

[jameswilson]

I have a friends sme that I am adding this contrib to.
However I have followed the wiki and lets encrypt completes without errors in test mode and production
however no when accessing any https page I get an error

Cannot securely connect to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

I have checked that

modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/wakefield-security.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/wakefield-security.com/cert.pem
    key=/etc/dehydrated/certs/wakefield-security.com/privkey.pem
    status=enabled

When running the command

[root@borris ~]# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing wakefield-security.com with alternative names: mail.wakefield-security.com borris.wakefield-security.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till May 21 17:42:53 2019 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting authorization for wakefield-security.com...
 + Requesting authorization for mail.wakefield-security.com...
 + Requesting authorization for borris.wakefield-security.com...
 + 3 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for wakefield-security.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.wakefield-security.com authorization...
 + Challenge is valid!
 + Responding to challenge for borris.wakefield-security.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Using cached chain!
Set up modSSL db keys
Signal events
All complete
 + Done!

Im assuming I have something leftover from a previous version of sme as this server started life as a sme 7 using affa to move from 7 to 8 to 9
But i dont know where. There was a cipher property that i removed but hasnt helped
Any ideas please?

James

[jameswilson]

Some more info from the webpage error when connecting to any https page

Secure Connection Failed

An error occurred during a connection to mail.wakefield-security.com. Peer using unsupported version of security protocol. Error code: SSL_ERROR_UNSUPPORTED_VERSION

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

[ReetP]

Hard to tell without more info.

Seems the certs are being generated correctly.

First thing is to check for any non standard/custom httpd templates.

Check your httpd config settings, and your db accounts settings for each ibay.

Do you have any other contribs installed? Where does the website point to on the server? An ibay or a different directory?

Don't remove thing like Cipher settings unless you absolutely know what you are doing. Which key did you delete??

Post back with some info and someoneay be able to help.

[Jean-Philippe Pialasse]

What would help is to read the presented certificate to see the issue and expiration date, the domains and the issuer.

From modssl config we see at least the generation has ended and updated the path to certificate. But from my experience it is hard to know if this is test one or live one. Also it does not assure you the httpd server was actually restarted neither the template has been expanded.

Also as it is old server updated since sme7, one could have a template custom hidding the needed fragments for lets’encrypt.

/sbin/e-smith/audittools/templates


Should give info on this.

And to check any error on expanding template try

expand-template /etc/httpd/conf/httpd.conf


Also to see error related:
httpd -t

[jameswilson]

What would help is to read the presented certificate to see the issue and expiration date, the domains and the issuer.

/sbin/e-smith/audittools/templates


Should give info on this.

And to check any error on expanding template try

expand-template /etc/httpd/conf/httpd.conf

/etc/e-smith/templates-custom/etc/dhcpd.conf/25LeaseTimeDefault: OWNED_BY_RPM, OVERRIDE
/etc/e-smith/templates-custom/etc/dhcpd.conf/25DomainNameServers: OWNED_BY_RPM, OVERRIDE
/etc/e-smith/templates-custom/etc/dhcpd.conf/25LeaseTimeMax: OWNED_BY_RPM, OVERRIDE
/etc/e-smith/templates-custom/etc/dhcpd.conf/25Routers: OWNED_BY_RPM, OVERRIDE
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/10CustomAllowRelay: MANUALLY_ADDED, ADDITION

Also to see error related:
httpd -t

[root@bo ~]# httpd -t
Syntax OK

hopefully the above helps?

[jameswilson]

also

[root@borris ~]# expand-template /etc/httpd/conf/httpd.conf
[root@borris ~]#

[ReetP]

You still haven't advised what Cipher setting you modified or removed.

Note your original error and search it on the interwebs.

SSL_ERROR_UNSUPPORTED_VERSION

How about running ssl test and see what it tells you:

https://www.ssllabs.com/ssltest/

[ReetP]

Hmmmm. Assuming that is the domain.....

I can reach an ibay here.

http://mail.wakefield-security.com/

However......

https://www.ssllabs.com/ssltest/analyze.html?d=mail.wakefield-security.com

That doesn't make pretty reading.

You need to sort out your router PDQ.....

[jameswilson]

Hmmmm. Assuming that is the domain.....

I can reach an ibay here.

http://mail.wakefield-security.com/

However......

https://www.ssllabs.com/ssltest/analyze.html?d=mail.wakefield-security.com

#

That doesn't make pretty reading.

You need to sort out your router PDQ.....

AH!!!
Its the router should of known it wasnt sme. Sorry I didnt setup his router I just help with his sme box. Ill have a word
Thankyou!!!!

[ReetP]

You might want some port forwarding for https to your SME

And hide remote access to the router.....