SSL test on Qualys SSL Labs Rating A Configuration

Minimal Debian * Jessie and Apache V 2.4.10

Fix DNS CAA No to Yes by add CAA record on DNS Server

Clouddns: Add CAA Record, select the Provider (If available : Comodo, Digicert, etc), if manual insert field Answer with 0 (Number 0 -255), Tag with issue and Value with comodoca.com (if Comodo SSL),, letsencrypt.org (If Lets Encrypt SLL) then Save All Changes, wait 1 hour to complete.  Then check CAA status at https://caatest.co.uk

Incorrect SNI alerts

Insert below within section VirtualHost conf then #service apache2 restart

#vim /etc/apache2/sites-available/default-ssl.conf

Insert at the bottom before closed tag of the VirtualHost “</VirtualHost>”

ServerName example.com
ServerAlias www.example.com example.com

Enable Apache OCSPStapling

Specify cached response location (outside <VirtualHost>, before <VirtualHost _default_:443>

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)

The placed must before the following text:

## SSL Virtual Host Context
<VirtualHost _default_:443>

**** Optional Activate HTTP/2 protocol on default-ssl.conf

Insert Protocols h2 h2c http/1.1 after <VirtualHost _default_:443> on /etc/apache2/sites-available/default-ssl.conf

Below the configuration on /etc/apache2/sites-enable/default-ssl.conf

** activate Header first in with command #a2enmod headers

SSLEngine on

SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"

# This TLSv1.2 only
SSLProtocol TLSv1.2
# To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above.
#SSLProtocol +TLSv1.2 +TLSv1.3

#enable of OCSP stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

#if you want to add DHE (Diffie-Hellman key exchange), HTTPD 2.4.8 later, run openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 uncomment below
#SSLOpenSSLConfCmd Curves secp384r1
#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/example.com.ca-bundle

#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" activate first in with command #a2enmod headers
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Do not forget to comment (add #) for 2 lines below

#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Enable and load mod_rewrite Apache2 on Debian 8

#/usr/sbin/a2enmod rewrite

Enable Headers

#/usr/sbin/a2enmod headers

Enable SSL

#/usr/sbin/a2enmod ssl

** Optional to Activate HTTP/2 module 

#/usr/sbin/a2enmod http2

Apply SSL Module to Site

#/usr/sbin/a2ensite default-ssl

To activate the new configuration, you need to run:

#service apache2 reload

Other SSL / TLS Settings on /etc/apache2/mods-enabled/ssl.conf

#Turn of SSL Compression & Ensure Ciphers are used in order

SSLCompression off
SSLHonorCipherOrder on

Enable SSL log by add script below the ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog 

ErrorLog ${APACHE_LOG_DIR}/ssl_engine.log
LogLevel debug

Sometimes error occurred, example log below

[Mon Nov 25 09:54:07.361518 2019] [ssl:error] [pid 5035] (70007)The timeout specified has expired: [client 84.240.234.36:32844] AH01985: error reading response from OCSP server

Solution

SSLStaplingResponderTimeout 3

When Sectigo’s OCSP Responder servers did not respond fast enough, the OSCP requests failed and the errors noted on this thread were logged to the Apache error log. Disable OCSP Stapling:

SSLUseStapling off

Or, instead of disabling OCSP Stapling, we could increase the default timeout value (11 seconds appeared to be suitable for yesterday’s issue):

SSLStaplingResponderTimeout 11

Upgrade Debian 7 Wheezy to Debian 8 Jessie

Backup the configuration and data first

Check current release

#sudo cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"

Configuration files in the /etc directory

#tar -pczf etc.tar.gz --absolute-names /etc

Backup of the /var/www website directory.

#tar -pczf www.tar.gz --absolute-names /var/www

Backup of the /home directories.

#tar -pczf home.tar.gz --absolute-names /home

For ISPConfig 3 users: Backup of your email server files.

#tar -pczf vmail.tar.gz --absolute-names /var/vmail

Backup MySQL databases

#mysqldump --defaults-file=/etc/mysql/debian.cnf -cCeQ --hex-blob --quote-names --routines --events --triggers --all-databases -r all_databases.sql

Then move the tar.gz and .sql files for safe storage on a backup drive.

Check the apt sources.list file

Before upgrade to Jessie, all available Wheezy must updates first. On some systems the package source is defined as “stable” in the sources.list file instead of “wheezy” or “jessie”. To avoid an accidental early upgrade to Jessie, please check the sources.list now and ensure that it contains “wheezy” and not “stable” as source:

#nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian wheezy main contrib non-free
deb http://ftp.us.debian.org/debian wheezy-updates main contrib non-free
deb http://ftp.us.debian.org/debian-security wheezy/updates main contrib non-free
#apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y

Update the sources.list for Jessie

Edit the /etc/apt/sources.list file again:

#nano /etc/apt/sources.list

and replace its content with the following lines:

deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free

deb http://httpredir.debian.org/debian jessie-updates main contrib non-free
deb-src http://httpredir.debian.org/debian jessie-updates main contrib non-free

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y
reboot

To check which Debian version is currently installed on the system, take a look at the file /etc/os-release.

#cat /etc/os-release
#lsb_release -a

Extract all the tar.gz files to the folder (/var/www/html, /etc/)

#tar -xvf www.tar.gz

Move all folder and files

#mv /sourcefolder/{,.[^.]}* /destinationfolder/