I used the Plesk extension for Let's Encrypt (https://github.com/plesk/letsencrypt-plesk), but chrome shows that an old cypher suite is used. The certificate uses:
TLS 1.2
AES_256_CBC
HMAC-SHA1
ECDHE_RSA
I found out that AES_256_CBC seems to be the problem, but the UI does not allow for any configuration of these parameters.
Is there a configuration file that allows this?
I only found http://letsencrypt.readthedocs.org/en/latest/using.html#configuration-file which does not seem to support these options
Thank you
For server-wide you can change:
for nginx, ssl_ciphers in /etc/nginx/conf.d/ssl.conf to:
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256;
for apache, SSLCipherSuite in file like /etc/apache2/mods-enabled/ssl.conf:
SSLCipherSuite EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256
Per individual site you can use same strings in additional web server directives for Apache/Nginx:
Additionally Plesk has all-in-one tool for hardening security options in all supported services:
plesk sbin pci_compliance_resolver --enable
Related
how can I specify ca-cert or disable SSL verification when setup Slack integration in Wazuh?
I can`t see any directive for this in docs (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html)
Maybe someone will need answer too. You can find out where python stores its certs bundle with
import certifi
certifi.where()
and append your cert there
I inherited an ejabberd installation from a previous employee. Basic commands return
Error command 'xxxx' not known
The doc refers to /etc/ejabberd.cfg, which does not exist on the server. /opt/ejabberd-15.03/conf/ejabberd.yml seems to contain all pertinent configs, such as LDAP and ssl certificate locations.
Everything seems to be running fine for the users, so maybe I'm doing something wrong. Here are some samples:
[root#jabber bin]# pwd
/opt/ejabberd-15.03/bin
[root#jabber bin]# ./ejabberdctl create_room SteveTest conference.localhost localhost
Error: command "create_room" not known.
[root#jabber bin]# ./ejabberdctl muc_online_rooms global
Error: command "muc_online_rooms" not known.
Configuration file
The doc refers to /etc/ejabberd.cfg, which does not exist on the server. /opt/ejabberd-15.03/conf/ejabberd.yml seems to contain all pertinent configs, such as LDAP and ssl certificate locations.
The location of the configuration file is specific to the way ejabberd got installed, so having it in /opt/ejabberd-15.03/conf/ should be fine.
The reason for ejabberd.cfg vs. ejabberd.yml is that ejabberd 13.10 introduced YAML as configuration file format (ejabberd.yml) and deprecated the previously used Erlang terms based one (ejabberd.cfg). From their documentation:
In previous ejabberd version the configuration file should be written in Erlang terms. The format is still supported, but it is highly recommended to convert it to the new YAML […]
ejabberdctl
When you run ejabberdctl without any arguments it should show you all supported commands.
The ones you tried (create_room and muc_online_rooms) shouldn't be in the list, as they are part of the mod_muc_admin module, which got introduced with ejabberd 15.04, but you appear to be running the older ejabberd 15.03.
To get these commands you can either upgrade ejabberd, which would be the recommended way, or fetch the mod_muc_admin module from the ejabberd-contrib repository, which contains third-party ejabberd modules. mod_muc_admin was part of this repository before it became directly included into ejabberd. Here is a link to the last revision of ejabberd-contrib which still contains the module: https://github.com/processone/ejabberd-contrib/tree/e5336f/mod_muc_admin
I'm getting a 500 Internal Server Error while trying to install Bolt.
First time Bolt user (been using Drupal for a few years).
I'm running on a VPS (with cPanel/WHM).
PHP version 5.4.37, Apache version 2.4.12
PHP memory_limit = 128M
PDO extension, curlssl extension, and GD extension are enabled
Chrome version 40.0.2214.111
mod_rewrite, SQLite, and MySQL 5.6.22
Downloaded the latest version and installed the traditional way (FTP)
Unzipped and updated permissions
.htaccess is there and looks the same as the one referenced on the Bolt installation page
I tried MySQL database and as-is to use SQLite database
Checked host configuration and AllowOverrides is enabled
tried enabling RewriteBase in .htaccess as well as the "FallbackResource /index.php" method
Bolt is in the root directory (not a subfolder)
I have PHP compiled as FCGI with suEXEC on and Ruid2 off.
All I get is the 500 Internal Server Error. What am I missing?
Have the same problem with Bolt 3.0.0 today.
Was solved by removing
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
from .htaccess
Looks like I just figured it out.
I disabled "Zend Guard Loader" on my VPS (cPanel/WHM >> EasyApache) and now I'm good to go!
I had a similar problem with Bold 2.2.20 today. If you're using cPanel, look for something like 'jail php for WordPress'. Disable that and you'll be ready to go.
Here's the description shown:
This plugin will jail anonymous web page requests from users that are not logged in. Jailed requests will be read only, and linux will prevent writes to the filesystem. This will prevent almost all hacks.
Domain: https://www.amz2btc.com
Analysis from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=amz2btc.com
All my desktop browsers open this fine. Mobile Firefox opens this fine. Only when I tried with mobile Chrome did I get the error: err_cert_authority_invalid
I know very little about SSL, so I can't really make sense of the SSL report or why this error is coming up. If someone could ELI5, that would be ideal. :)
I just spent the morning dealing with this. The problem wasn't that I had a certificate missing. It was that I had an extra.
I started out with my ssl.conf containing my server key and three files provided by my SSL certificate authority:
# Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer
# Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem
# Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem
It worked fine on desktops, but Chrome on Android gave me err_cert_authority_invalid
A lot of headaches, searching and poor documentation later, I figured out that it was the Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem
That was creating a second certificate chain which was incomplete. I commented out that line, leaving me with
# Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer
# Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
# Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem
and now it's working on Android again. This was on Linux running Apache 2.2.
I had this same problem while hosting a web site via Parse and using a Comodo SSL cert resold by NameCheap.
You will receive two cert files inside of a zip folder:
www_yourdomain_com.ca-bundle
www_yourdomain_com.crt
You can only upload one file to Parse:
Parse SSL Cert Input Box
In terminal combine the two files using:
cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > www_yourdomain_com_combine.crt
Then upload to Parse. This should fix the issue with Android Chrome and Firefox browsers. You can verify that it worked by testing it at https://www.sslchecker.com/sslchecker
For those having this problem on IIS servers.
Explanation: sometimes certificates carry an URL of an intermediate certificate instead of the actual certificate. Desktop browsers can DOWNLOAD the missing intermediate certificate using this URL. But older mobile browsers are unable to do that. So they throw this warning.
You need to
1) make sure all intermediate certificates are served by the server
2) disable unneeded certification paths in IIS - Under "Trusted Root Certification Authorities", you need to "disable all purposes" for the certificate that triggers the download.
PS. my colleague has wrote a blog post with more detailed steps: https://www.jitbit.com/maxblog/21-errcertauthorityinvalid-on-android-and-iis/
The report from SSLabs says:
This server's certificate chain is incomplete. Grade capped to B.
....
Chain Issues Incomplete
Desktop browsers often have chain certificates cached from previous connections or download them from the URL specified in the certificate. Mobile browsers and other applications usually don't.
Fix your chain by including the missing certificates and everything should be right.
I hope i am not too late, this solution here worked for me, i am using COMODO SSL, the above solutions seem invalid over time, my website lifetanstic.co.ke
Instead of contacting Comodo Support and gain a CA bundle file You can do the following:
When You get your new SSL cert from Comodo (by mail) they have a zip file attached. You need to unzip the zip-file and open the following files in a text editor like notepad:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
Then copy the text of each ".crt" file and paste the texts above eachother in the "Certificate Authority Bundle (optional)" field.
After that just add the SSL cert as usual in the "Certificate" field and click at "Autofil by Certificate" button and hit "Install".
Inspired by this gist: https://gist.github.com/ipedrazas/6d6c31144636d586dcc3
I also had a problem with the chain and managed to solve using this guide https://gist.github.com/bradmontgomery/6487319
if you're like me who is using AWS and CloudFront, here's how to solve the issue. it's similar to what others have shared except you don't use your domain's crt file, just what comodo emailed you.
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
this worked for me and my site no longer displays the ssl warning on chrome in android.
A decent way to check whether there is an issue in your certificate chain is to use this website:
https://www.digicert.com/help/
Plug in your test URL and it will tell you what may be wrong. We had an issue with the same symptom as you, and our issue was diagnosed as being due to intermediate certificates.
SSL Certificate is not trusted
The certificate is not signed by a trusted authority (checking against
Mozilla's root store). If you bought the certificate from a trusted
authority, you probably just need to install one or more Intermediate
certificates. Contact your certificate provider for assistance doing
this for your server platform.
I solved my problem with this commands:
cat __mydomain_com.crt __mydomain_com.ca-bundle > __mydomain_com_combine.crt
and after:
cat __mydomain_com_combine.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.pem
And in my domain nginx .conf I put on the server 443:
ssl_certificate ssl/mydomain.pem;
ssl_certificate_key ssl/mydomain.private.key;
I don't forget restart your "Nginx"
service nginx restart
I had the same probleme but the response made by Mike A helped me to figure it out:
I had a my certificate, an intermediate certificate (Gandi) , an other intermediate (UserTrustRSA) and finally the RootCA certificate (AddTrust).
So first i made a chain file with Gandi+UserTrustRSA+AddTrust and specified it with SSLCertificateChainFile. But it didn't worked.
So i tried MikeA answer by just putting AddTruct cert in a file and specified it with SSLCACertificateFile and removing SSLCertificateChainFile.But it didn't worked.
So finnaly i made a chain file with only Gandi+UserTrustRSA specified by SSLCertificateChainFile and the other file with only the RootCA specified by SSLCACertificateFile and it worked.
# Server Certificate:
SSLCertificateFile /etc/ssl/apache/myserver.cer
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/apache/myserver.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/ssl/apache/Gandi+UserTrustRSA.pem
# Certificate Authority (CA):
SSLCACertificateFile /etc/ssl/apache/AddTrust.pem
Seems logical when you read but hope it helps.
I guess you should install CA certificate form one if authority canter:
ssl_trusted_certificate ssl/SSL_CA_Bundle.pem;
Just do the following for Version 44.0.2403.155 dev-m
Privacy -->Content settings -->Do not allow any site to run JavaScript
Problem Solved
My objective: get https://github.com/couchbaselabs/ToDoLite-iOS syncing with a Couchbase Server and sync gateway on localhost rather than the default demo URL.
I run sync gateway like so: bin/sync_gateway -url http://localhost:8091
And then the only thing I changed in the example is:
-#define kSyncGatewayUrl #"http://demo.mobile.couchbase.com/todolite"
+#define kSyncGatewayUrl #"http://localhost:4984/sync_gateway/"
And when I run
Error: Error Domain=CBLHTTP Code=404 "404 not_found" UserInfo=0x7ff11941fb50 {NSURL=http://localhost:4984/sync_gateway/_facebook, NSLocalizedFailureReason=not_found, NSLocalizedDescription=404 not_found}
How do I fix this?
I solved it. The reason is that I ran sync_gateway without enabling Facebook registration support.
Normally this is done in config.json file. In fact, this configuration file was supplied in ToDoLite all along.
It is crucial that you launch sync_gateway with this configuration file. The README actually states this but in a loose and casual way...
cd ToDoLite-iOS
sync_gateway -url http://localhost:8091 sync-gateway-config.json
NB: I assume above that sync_gateway has been made accessible through $PATH. It's a good idea to do that anyway.
Also, I didn't pay attention to the dbname. So you'll need to replace
#define kSyncGatewayUrl #"http://demo.mobile.couchbase.com/todolite"`
with
#define kSyncGatewayUrl #"http://localhost:4984/todos"
So, what's the complete sequence of steps to get it working?:
If you want to wipe everything on the server, rm -rf Library/Application\ Support/Couchbase and start over. Homebrew cask hides this setting somewhere else where it's hard to reset so a manual install is very recommended.
Install Couchbase Server
Set up login credentials if fresh install; otherwise just login
Create a bucket (a database) with name todos on the cluster. This is the dbname used by TODOLite.
Launch sync gateway. Be sure to pass in the replication URL AND the JSON config file.
bin/sync_gateway -url http://localhost:8091 sync-gateway-config.json; keep sync gateway running
In the TODOLite AppDelegate.m, change kSyncGatewayUrl:
#define kSyncGatewayUrl #"http://localhost:4984/todos". Notice the name of the database is necessary!
(Optionally) Access the administrator interface of the sync gateway by going to http://localhost:4985/_admin/db/sync_gateway/sync. You can set up the sync function here.
In case you're wondering where those port numbers came from, check out
ports Couchbase Server uses
ports Sync Gateway uses
4984 — SG API port
4985 — SG admin server
The default remote sync URL will be defined in different files depending on the version of the project you download (iOS, Android, PhoneGap, and Motion). To find the appropriate string to change simply search through your project for the URL "http://demo.mobile.couchbase.com/todolite" and replace it with the URL of your new sync gateway database.