Minimal Debian * Jessie and Apache V 2.4.10
Fix DNS CAA No to Yes by add CAA record on DNS Server
Clouddns: Add CAA Record, select the Provider (If available : Comodo, Digicert, etc), if manual insert field Answer with 0 (Number 0 -255), Tag with issue and Value with comodoca.com (if Comodo SSL),, letsencrypt.org (If Lets Encrypt SLL) then Save All Changes, wait 1 hour to complete. Then check CAA status at https://caatest.co.uk
Incorrect SNI alerts
Insert below within section VirtualHost conf then #service apache2 restart
#vim /etc/apache2/sites-available/default-ssl.conf
Insert at the bottom before closed tag of the VirtualHost “</VirtualHost>”
ServerName example.com ServerAlias www.example.com example.com
Enable Apache OCSPStapling
Specify cached response location (outside <VirtualHost>, before <VirtualHost _default_:443>
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)
The placed must before the following text:
## SSL Virtual Host Context <VirtualHost _default_:443>
**** Optional Activate HTTP/2 protocol on default-ssl.conf
Insert Protocols h2 h2c http/1.1 after <VirtualHost _default_:443> on /etc/apache2/sites-available/default-ssl.conf
Below the configuration on /etc/apache2/sites-enable/default-ssl.conf
** activate Header first in with command #a2enmod headers
SSLEngine on SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS" # This TLSv1.2 only SSLProtocol TLSv1.2 # To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above. #SSLProtocol +TLSv1.2 +TLSv1.3 #enable of OCSP stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off #if you want to add DHE (Diffie-Hellman key exchange), HTTPD 2.4.8 later, run openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 uncomment below #SSLOpenSSLConfCmd Curves secp384r1 #SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" SSLCertificateFile /etc/apache2/ssl/example.com.crt SSLCertificateKeyFile /etc/apache2/ssl/example.com.key SSLCertificateChainFile /etc/apache2/ssl/example.com.ca-bundle #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" activate first in with command #a2enmod headers Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Do not forget to comment (add #) for 2 lines below
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Enable and load mod_rewrite Apache2 on Debian 8
#/usr/sbin/a2enmod rewrite
Enable Headers
#/usr/sbin/a2enmod headers
Enable SSL
#/usr/sbin/a2enmod ssl
** Optional to Activate HTTP/2 module
#/usr/sbin/a2enmod http2
Apply SSL Module to Site
#/usr/sbin/a2ensite default-ssl
To activate the new configuration, you need to run:
#service apache2 reload
Other SSL / TLS Settings on /etc/apache2/mods-enabled/ssl.conf
#Turn of SSL Compression & Ensure Ciphers are used in order
SSLCompression off SSLHonorCipherOrder on
Enable SSL log by add script below the ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog
ErrorLog ${APACHE_LOG_DIR}/ssl_engine.log
LogLevel debug
Sometimes error occurred, example log below
[Mon Nov 25 09:54:07.361518 2019] [ssl:error] [pid 5035] (70007)The timeout specified has expired: [client 84.240.234.36:32844] AH01985: error reading response from OCSP server
Solution
SSLStaplingResponderTimeout 3
When Sectigo’s OCSP Responder servers did not respond fast enough, the OSCP requests failed and the errors noted on this thread were logged to the Apache error log. Disable OCSP Stapling:
SSLUseStapling off
Or, instead of disabling OCSP Stapling, we could increase the default timeout value (11 seconds appeared to be suitable for yesterday’s issue):
SSLStaplingResponderTimeout 11