Yes, I know that it is a too late decision and I need to do it 2-3 years ago. But everyone did mistakes in his (or her) life. It is the same for me.
I started 2 weeks ago with upgrading Debian 8 to Debian 9 and all extra packages (MariaDB, PHP, Ruby, OpenSSL, etc.). After that, I realized that I’m done because I had HTTPS certificates on my websites which worked well. It looked like it was enough. But it doesn’t – I forget about HTTP/2.
TL;DR: The problem that I had was about reinstalling nginx with the new version of OpenSSL (1.1.0l). And I forget to upgrade nginx… Damn!
A few words about mistakes…
Today I decided to spend all my time migrating my websites to HTTP/2. By the way, I want to get A+ rating on SSLLabs for all websites.
I spent about 3-4 hours validating nginx’s configs.
Then I tried to down all websites except one because I thought that the problem is common for all websites (all of them have the same configs) and I don’t want to update all configs at the same time.
On every change, I checked results with SSLLabs trying to get A+ score. And nothing happened – site returns responses via HTTP/1.1, not HTTP2, and SSLLabs displayed just A score, not A+.
What did I do?
I used curl to check HTTP response:
curl -vso /dev/null --http2 https://domain.tld
Every time curl returns me the same result:
< HTTP/1.1 200 OK
Then I decided to check the installed version of OpenSSL:
# apt list --installed | grep openssl openssl/oldoldstable,now 1.1.0l-1~deb9u3 amd64 [installed]
Okay, I’ve got the latest version.
Then checked which version of OpenSSL nginx uses. It must be the same in the nginx’s version output:
# nginx -V built with OpenSSL 1.1.0l 10 Sep 2019 # Right here
Nice! I forget to reinstall nginx. I just reinstalled all required nginx’s packages and got curl response with HTTP/2!
< HTTP/2 200
Now I want to get A+ score on SSLLabs. Don’t ask me why, I don’t know.
How to get A+ score
The next step is to create directory for dhparam and generate cert with OpenSSL.
# mkdir /etc/nginx/ssl # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
Then I changed SSL settings in
ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; # I removed another protocols to get A+ score.
And in each server section for websites’ configs I added:
listen 443 ssl http2; # <- Do not forget to add `http2` server_name domain.tld; ssl_certificate /root/.acme.sh/domain.tld/fullchain.cer; ssl_certificate_key /root/.acme.sh/domain.tld/domain.tld.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # <- It is required to get A+. ssl_stapling on; ssl_stapling_verify on; # Add HSTS to get extra points: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
After all changes and restarting nginx, I’ve had A+ in SSLLabs and HTTP2 response!
Do not forget to check versions of installed packages. It does matter.