Search code examples
sslencryptionhttpsssl-certificatelighttpd

let's encrypt get grade A+ on ssllabs.com. This server's certificate chain is incomplete. Grade capped to B.

I'm trying to get an grade A+ for my site using lighttpd and acme-tiny script. Below the steps:

  1. Create a Let's Encrypt account private key:

openssl genrsa 4096 > account.key

  1. Create a certificate signing request (CSR) for domains (single domain)

openssl genrsa 4096 > domain.key

openssl req -new -sha256 -key domain.key -subj "/CN=mysitehere.com" > domain.csr

  1. Make website host challenge files

mkdir /var/www/.well-known/acme-challenge/

  1. Get a signed certificate

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/.well-known/acme-challenge/ > ./signed.crt

  1. Installing certificate

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem

cat signed.crt intermediate.pem > chained.pem

cat domain.key chained.pem > mysitehere.pem

lighttpd-enable-mod ssl

/etc/lighttpd/conf-enabled/10-ssl.conf

$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine  = "enable"
ssl.pemfile = "/root/letsencrypt/mysitehere.pem"
ssl-ca-file = "/root/letsencrypt/chained.pem"
    ssl.dh-file = "/root/letsencrypt/dhparams/dhparams.pem"
    ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA "
ssl.honor-cipher-order = "enable"}

All seems ok. https working.

test this setup on ssllabs and get Grade B.

Certificate - 100%

Protocol support - 100%

Key exchange - 90%

Cipher Strength - 90%

This server's certificate chain is incomplete. Chain issues Incomplete

Certificates provided 1 (1532 bytes)

Sent by server mysitehere.com Fingerprint SHA1: e0f6d98733915 ......

Extra download Let's Encrypt Authority X1 ......

In trust store DST Root CA X3 Self-signed

how to make a file mysitehere.pem right way to avoid extra downloading from let's encrypt site and get grade A from ssllabs?

Thank you!

Solution

  • ssl-ca-file should be ssl.ca-file.