What I’ve learned while migrating my sites to HTTPS with HTTP/2

Yes, I know that it is a too late decision and I need to do it 2-3 years ago. But everyone did mistakes in his (or her) life. It is the same for me.

I started 2 weeks ago with upgrading Debian 8 to Debian 9 and all extra packages (MariaDB, PHP, Ruby, OpenSSL, etc.). After that, I realized that I’m done because I had HTTPS certificates on my websites which worked well. It looked like it was enough. But it doesn’t – I forget about HTTP/2.

TL;DR: The problem that I had was about reinstalling nginx with the new version of OpenSSL (1.1.0l). And I forget to upgrade nginx… Damn!

A few words about mistakes…

Today I decided to spend all my time migrating my websites to HTTP/2. By the way, I want to get A+ rating on SSLLabs for all websites.

I spent about 3-4 hours validating nginx’s configs.

Then I tried to down all websites except one because I thought that the problem is common for all websites (all of them have the same configs) and I don’t want to update all configs at the same time.

On every change, I checked results with SSLLabs trying to get A+ score. And nothing happened – site returns responses via HTTP/1.1, not HTTP2, and SSLLabs displayed just A score, not A+.

What did I do?

I used curl to check HTTP response:

curl -vso /dev/null --http2 https://domain.tld

Every time curl returns me the same result:

< HTTP/1.1 200 OK

Then I decided to check the installed version of OpenSSL:

# apt list --installed | grep openssl
openssl/oldoldstable,now 1.1.0l-1~deb9u3 amd64 [installed]

Okay, I’ve got the latest version.

Then checked which version of OpenSSL nginx uses. It must be the same in the nginx’s version output:

# nginx -V
built with OpenSSL 1.1.0l  10 Sep 2019 # Right here

Nice! I forget to reinstall nginx. I just reinstalled all required nginx’s packages and got curl response with HTTP/2!

< HTTP/2 200

Now I want to get A+ score on SSLLabs. Don’t ask me why, I don’t know.

How to get A+ score

The next step is to create directory for dhparam and generate cert with OpenSSL.

# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

Then I changed SSL settings in /etc/nginx/nginx.conf:

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2; # I removed another protocols to get A+ score.

And in each server section for websites’ configs I added:

listen 443 ssl http2; # <- Do not forget to add `http2`

server_name domain.tld;

ssl_certificate     /root/.acme.sh/domain.tld/fullchain.cer;
ssl_certificate_key /root/.acme.sh/domain.tld/domain.tld.key;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;

ssl_dhparam /etc/nginx/ssl/dhparam.pem; # <- It is required to get A+.

ssl_stapling on;
ssl_stapling_verify on;

# Add HSTS to get extra points:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

That’s it!

After all changes and restarting nginx, I’ve had A+ in SSLLabs and HTTP2 response!

Conclusion

Do not forget to check versions of installed packages. It does matter.

3 thoughts on “What I’ve learned while migrating my sites to HTTPS with HTTP/2”

  1. Hi!
    Just a few remarks from a former colleague.

    Support for Debian 9 ends on June 30, 2022. For example, support for Ubuntu 20 has been extended until April 2030.

    The “A+” rating from SSL Labs has nothing to do with HTTP/2 or nginx. For example, the HTTP/1.1+Apache website “vpn.your_former_company.com” has had such an assessment for a long time, it was also interesting for me to achieve this. I haven’t even told anyone about it. Nobody cares.

    It would be interesting to also get TLSv1. 3, although there were rumors that it might be banned in Russia.

    My best wishes.

  2. It will be funny if my previous comments have disappeared, being erased by this last one. I don’t see them. However, all this does not matter. Happy moderation!

Leave a Reply

Your email address will not be published.