Solved [BUG] Letsencrypt renew on hostname looses DHE ciphers causing TLS issues with some customers

[Richard G]

Again the same issue on renewing hostname certificate.

Related thread:

exim issue diffie hellman

I was told now that Letsencrypt defaults to EC ciphers and it seems HP printers do only use RSA ciphers, also on TLS 1.2. They are a bit older but still not out of date and used for TLS. So at least we have a cause now. It might well be that on the hostname LE renewal it switched to EC. They are...

forum.directadmin.com

see post #9 and #10.

Related ticket number: #34284

Every time when the hostname certificate gets renewed with Letsencrypt we loose the DHE ciphers:

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong

and only the ECDHE ciphers are present again.

DA staff fixed this then in a letsencrypt.sh 2.0.22 if all is well, so the 4096 is added again when the hostname is renewed, at least it should be. But unfortunately now 3 months later on the first update.

I'll reopen the ticket too in case investigation with login is needed.

 

[Richard G]

DA support found the bug and fixed it.

The fix is either available via the alfa channel binaries or will also be present on the next current channel update.

Workaround until then (if you don't want to switch channels):

cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single your.hostname.com 4096

If you want, you can also revoke it before creating a new certificat by using this line:
./letsencrypt.sh revoke your.hostname.com

 

[Pzz]

The "your.hostname.com" is the affected single domain, so I'll do this for all my domains where the problem occurs @Richard G ?

 

[Richard G]

No only use this for the hostname. And then check if the issue is gone.
If that don't fixes your issue, then probably something else is going on. It can't harm to do this.

 

[WholesaleDialup]

For me, this keeps happening. @Richard G your manual fix works like a charm but... How can I put a permanent fix in place? Email for one of the domains on our DA server requires these ciphers to receive mail from our third party Anti SPAM provider. Every few months, this breaks and I have to come look up this info and do the manual fix again. This time it was conveniently on Easter morning as I was trying to leave for the holiday activities.

My DA install is up to date, has there been a fix put in place for this yet?

Thanks in advance for any assistance in fixing this permanently so I don't have to keep putting in emergency manual fixes every time my customer's email stops flowing abruptly.

 

[WholesaleDialup]

Current version info. I didn't click update because I didn't want to get a newer version than what I had when this issue occurred recently. Not sure if clicking update will do the trick to fix this finally or not. Also, I am pretty sure DA is set to update automatically but can't remember.

 

[Richard G]

My DA install is up to date, has there been a fix put in place for this yet?

Hello.

This has been fixed a few releases ago. I did check and can confirm that with the newest LE updates for our hostname, the RSA 256 ciphers are kept in place. I presume you also updated custombuild to the latest versions including especially the latest letsencrypt?

What exactly is wrong. Is it the hostname only which does not have the cipers? Or also the users domain?

You can check for the domain like this:
nmap --script ssl-enum-ciphers -p 465 domain.com