Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
SSL / Re: SSL certificate blocked by antivirus for Apache + NGINX + Varnish
« on: September 14, 2019, 09:09:42 AM »
Hi,
You gave the answer
Best way to connect :
- Use the declared hostname of your server (cwp)
- If you don't have a A record in the DNS zone you can add it the client host file
- Then you'll be able to connect to https://hostname.domaine.tld:2087
- Most important to avoid the self-signed error, use a Let's Encrypt certificate, if your hostname and dns settings are right on your server it should be ok.
Regards.
Louis
You gave the answer
URL:
myservername
Reason:
Self-signed certificate View certificate
Best way to connect :
- Use the declared hostname of your server (cwp)
- If you don't have a A record in the DNS zone you can add it the client host file
- Then you'll be able to connect to https://hostname.domaine.tld:2087
- Most important to avoid the self-signed error, use a Let's Encrypt certificate, if your hostname and dns settings are right on your server it should be ok.
Regards.
Louis
3
SSL / Re: is there a way to autoinstall ssl certificates
« on: September 07, 2019, 03:09:40 PM »
Hi Visio,
You can use the built-in tool AutoSSL to apply a Let's Encrypt certificate to each domain/subdomain.
Regards.
Louis
You can use the built-in tool AutoSSL to apply a Let's Encrypt certificate to each domain/subdomain.
Regards.
Louis
4
SSL / Re: AutoSSL Key Length
« on: July 29, 2019, 12:54:32 PM »
Hi all,
For those interested in playing with certificates, you can modify key length and certificates type and extensions like "must staple" modifying directly acme.sh script.
/!\ DO NOT DO THAT ON PROD UNTIL YOU'RE CONFIDENT WITH WHAT IT IMPLIES /!\
First make a copy of the original script
Then we will work on a copy using vim or another editor you like :
And we edit lines 36 for key length and/or certificate type and 6269 for adding "must staple" extension :
L36 :
Or :
L6269 you'll find :
A lot of other things could done like that like wildcard certificates, dns check (needed for wildcard) but for those 2 the SSL certificates manager behavior could not be predicted.
For those interested in playing with certificates, you can modify key length and certificates type and extensions like "must staple" modifying directly acme.sh script.
/!\ DO NOT DO THAT ON PROD UNTIL YOU'RE CONFIDENT WITH WHAT IT IMPLIES /!\
First make a copy of the original script
Code: [Select]
cp /root/.acme.sh/acme.sh /root/.acme.sh/acme.sh.bakThen we will work on a copy using vim or another editor you like :
Code: [Select]
vim /root/.acme.sh/acme.shAnd we edit lines 36 for key length and/or certificate type and 6269 for adding "must staple" extension :
L36 :
Code: [Select]
DEFAULT_DOMAIN_KEY_LENGTH="2048"Becomes :Code: [Select]
DEFAULT_DOMAIN_KEY_LENGTH="4096" for 4096 bits RSAOr :
Code: [Select]
DEFAULT_DOMAIN_KEY_LENGTH="ec-384" for 384 bits ECDSAL6269 you'll find :
Code: [Select]
_notify_mode=""
while [ ${#} -gt 0 ]; doAdd a line between those two ones ending with the following text : Code: [Select]
_notify_mode=""
Le_OCSP_Staple="1"
while [ ${#} -gt 0 ]; doIt will add "must staple" to your certificate.A lot of other things could done like that like wildcard certificates, dns check (needed for wildcard) but for those 2 the SSL certificates manager behavior could not be predicted.
5
SSL / Re: ssl installed I can verify in browser green lock but
« on: July 23, 2019, 09:41:37 AM »
Hi jnet,
What conf are you using for your domain ? (nginx > varnish > apache, nginx > apache, nginx, apache etc.)
And also what vhost template are you using on the front ?
In my case I saw that I have to use "default", if "force https" or "force-http2-httpsé is activated it will not succeed for a creation but works for a renew.
Regards.
Louis
What conf are you using for your domain ? (nginx > varnish > apache, nginx > apache, nginx, apache etc.)
And also what vhost template are you using on the front ?
In my case I saw that I have to use "default", if "force https" or "force-http2-httpsé is activated it will not succeed for a creation but works for a renew.
Regards.
Louis
6
SSL / Re: AutoSSL Key Length
« on: July 23, 2019, 09:35:06 AM »
Hi Jamshed_206,
Thank you for your answer.
I'll do it for sure as acme.sh supports the ACME 2 protocol served by LE, it enables the use of wildcard certificates, other challenge method (DNS is mandatory for wildcard) and is even compatible with API of a bunch of DNS providers, longer key length and ECDSA certificates.
Nice things could be done with the right wrappers.
Regards.
Louis
Thank you for your answer.
I'll do it for sure as acme.sh supports the ACME 2 protocol served by LE, it enables the use of wildcard certificates, other challenge method (DNS is mandatory for wildcard) and is even compatible with API of a bunch of DNS providers, longer key length and ECDSA certificates.
Nice things could be done with the right wrappers.
Regards.
Louis
7
SSL / Re: reinstalled my server and let's encrypt is not there and..
« on: July 23, 2019, 09:29:27 AM »
Hi,
You can't do anything, you just have to wait 1 week.
That's why I said that for TESTING purpose you could build a dedicated subdomain...
Cheers.
Louis
You can't do anything, you just have to wait 1 week.
That's why I said that for TESTING purpose you could build a dedicated subdomain...
Cheers.
Louis
8
SSL / Re: reinstalled my server and let's encrypt is not there and..
« on: July 22, 2019, 05:55:32 PM »
Hi Jnet,
Use another subdomain for testing.
AutoSSL is not very flexible with Let's Encrypt option like the testing mode or RSA/ECDSA certificates or even the key length or ECC algorithm.
Use another subdomain for testing.
AutoSSL is not very flexible with Let's Encrypt option like the testing mode or RSA/ECDSA certificates or even the key length or ECC algorithm.
9
SSL / Re: SSL Error On Domain ERR_CONNECTION_REFUSED
« on: July 22, 2019, 08:21:22 AM »
Hi Spidey,
What browser are you using ?
If it's Chrome try with Firefox to get a more precise error label.
Regards.
Louis
What browser are you using ?
If it's Chrome try with Firefox to get a more precise error label.
Regards.
Louis
10
SSL / Re: CWP support for TLSv1.3
« on: July 22, 2019, 08:19:49 AM »
Hi n8v8r,
They'll have to update openssl to 1.1.1 for that.
I am currently doing it on my own, recompil openssl with 1.1.1e source, then recompil apache, recompil php and now remain nginx recompilation.
Regards.
Louis
They'll have to update openssl to 1.1.1 for that.
I am currently doing it on my own, recompil openssl with 1.1.1e source, then recompil apache, recompil php and now remain nginx recompilation.
Regards.
Louis
11
SSL / AutoSSL Key Length
« on: July 20, 2019, 06:51:00 PM »
Hi there,
I am messing arround with CWP since a few weeks now and I like it a lot.
I have been able to correctly build Let's Encrypt certificates using AutoSSL.
But I have a question for the community, does someone managed to produce a certificate with a 4096 key length instead of 2048 which is the default ?
Thank you in advance for yours answer(s).
Regards.
Louis
I am messing arround with CWP since a few weeks now and I like it a lot.
I have been able to correctly build Let's Encrypt certificates using AutoSSL.
But I have a question for the community, does someone managed to produce a certificate with a 4096 key length instead of 2048 which is the default ?
Thank you in advance for yours answer(s).
Regards.
Louis
Pages: [1]
