Announcement

Collapse
No announcement yet.

Chain Certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Chain Certificate

    Hi all,

    How do you install the Chain Certificate part of an SSL certificate for the actual control panel URL? Looking at the ssl.conf file it seems it uses the same file as the main SSL cert file (/etc/pki/tls/certs/localhost.crt) so when you add it to that file either manually or via the Nodeworx control panel. Any tests on SSLLabs for example does not seem to pick it up.

    So the question is: What is the correct way of installing the chain certificate part?

    Second question which is related to HTTPS - I want to force http://domain.com/siteworx/ to redirect to the https:// version - I thought this would be done in the iworx.conf but I don't think the rules I have in place are taking affect or the rules could be wrong.

    Cheers,

  • #2
    Hi Bertie

    I hope your well

    The input for nodeworx SSL, is cert, then chain(s), all in the same input box (there is no separate chain input box as shown on a siteworx account)

    For testing SSL, in order to do a full test, you need to setup a siteworx account which matches the nodeworx name, and copy and paste ID, SSL and chains as taken from the nodeworx SSL. This is because of SNI.

    Then test, and it will correctly pickup on the correct SSL

    If you do not setup a siteworx account as above, the nodeworx ssl still correctly works, but you cannot test fully

    Did you try my suggestion for https redirect. The ssl works differently to http and rewrite rules in iworx for https do not work

    Many thanks

    John

    Comment


    • #3
      Originally posted by d2d4j View Post
      Hi Bertie

      I hope your well

      The input for nodeworx SSL, is cert, then chain(s), all in the same input box (there is no separate chain input box as shown on a siteworx account)

      For testing SSL, in order to do a full test, you need to setup a siteworx account which matches the nodeworx name, and copy and paste ID, SSL and chains as taken from the nodeworx SSL. This is because of SNI.

      Then test, and it will correctly pickup on the correct SSL

      If you do not setup a siteworx account as above, the nodeworx ssl still correctly works, but you cannot test fully

      Did you try my suggestion for https redirect. The ssl works differently to http and rewrite rules in iworx for https do not work

      Many thanks

      John
      When you say copy and paste ID - Which ID is this?

      Comment


      • #4
        Hi Bertie

        Sorry, I'm typing from memory and it's the unique ID, I think it's called. It is the first generated ID you need to create for a SSL, before you can generate a CSR.

        When I'm back, I'll post a picture but apologies for not remembering the correct name

        Many thanks

        John

        Comment


        • #5
          I guess my idea here wasn't so bad from a User Interface standpoint.
          http://forums.interworx.com/threads/...te-Import-Idea
          [ JUSTIN ]
          [ OFF unit ]
          [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
          ]

          Comment


          • #6
            Originally posted by Bertie View Post
            Second question which is related to HTTPS - I want to force http://domain.com/siteworx/ to redirect to the https:// version - I thought this would be done in the iworx.conf but I don't think the rules I have in place are taking affect or the rules could be wrong.
            On this part, this thread I started should help.

            http://forums.interworx.com/threads/...ube-etc-to-SSL
            [ JUSTIN ]
            [ OFF unit ]
            [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
            ]

            Comment


            • #7
              Hi Justin

              Good call

              Many thanks

              John

              Comment


              • #8
                Okay couple of things,

                The main domain has it's own siteworx account with a wildcard SSL installed. Works fine mostly when you check it on SSLabs but it does pick up a 2nd certificate for another domain name that also has an SSL installed (different SSL and not a wildcard). The two domains share the same IP but SNI is enabled within the settings so it's coming up as a mismatch via the common name.

                Why is that? As I thought with SNI enabled you could have SSL installed on domains with the same IP.


                ----

                Now back to the chain issue, it's a sub-domain for the main domain mentioned above. Which has the wildcard SSL installed via the Nodeworx SSL section. But SSL Labs does not pick up the chain certificate even if it's there.
                Last edited by Bertie; 02-16-2017, 03:23 AM.

                Comment


                • #9
                  Hi Bertie

                  To be honest, I would open a support ticket and let IW have a look

                  I might suggest you ssh into server and manually stop Apache and start Apache (not a restart of Apache or from Iw-cp), then retest to see if the same issue is seen

                  Many thanks

                  John

                  Comment


                  • #10
                    It looks like SSL Labs changed their scanner at the end of last year so include multiple certificate chains:

                    https://blog.qualys.com/ssllabs/2016...ificate-chains

                    https://community.qualys.com/thread/...main-ssl-issue

                    But seems to be a non-issue.

                    Comment


                    • #11
                      Chain Cert Update:


                      Looks like you need to add the chain cert to both Web-Server Default SSL and InterWorx-SSL for it to pick up by SSL Labs site. Just need to figure out how to get it from a grade B to A/A+. Have tried changing the cipher section to something like this:

                      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aEC DH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
                      But so far doesn't seem to change anything.

                      Comment


                      • #12
                        Hi Bertie

                        Many thanks

                        To be honest, it is always best advice when adding new SSL Cert to nodeworx, you add chains and set to all, so email ftp etc have full chain access

                        The default IW ciphers will give an A rate on qualys but to get an A+, you need to change to use hst I think, but a few users have posted how to do this, and it works lovely

                        Many thanks

                        John

                        Comment


                        • #13
                          You can get A by going only with TLSV1 and higher, plus removing all weak ciphers from the cipher suite.

                          John is right, to get A+, you have to set HSTS (HTTP Strict Transport Security) in your apache config file for that site. The cache time must be set for at least 180 days as well on HSTS.
                          [ JUSTIN ]
                          [ OFF unit ]
                          [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
                          ]

                          Comment


                          • #14
                            Hi Justin

                            I hope your well

                            Sorry, I thought IW had stopped all SSLv3, which only leaves TLSv1-1.2 working, which is why the default Iw cipher receives an A rate on qualys

                            Hopefully, TLSv1.3 should not be far away

                            Many thanks

                            John

                            Comment


                            • #15
                              Originally posted by d2d4j View Post
                              Sorry, I thought IW had stopped all SSLv3
                              Oh, they may have through the ciphersuite. I didn't check that first before I started doing my edits a few weeks ago.
                              [ JUSTIN ]
                              [ OFF unit ]
                              [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
                              ]

                              Comment

                              Working...
                              X