<![CDATA[Dev1 Galaxy Forum / [SOLVED] SSL Report - What to Fix & Ignore]]> https://dev1galaxy.org/viewtopic.php?id=5449 Thu, 05 Jan 2023 14:36:13 +0000 FluxBB <![CDATA[Re: [SOLVED] SSL Report - What to Fix & Ignore]]> https://dev1galaxy.org/viewtopic.php?pid=40006#p40006 dcolburn wrote:

I'm guessing I need to figure out why DNS CAA isn't being reported ... DNS CAA     No (more info)

This is set by your domain registrar.  Log into the site that you registered the domain name, and add a CAA record using the issuer of your certificate.  https://letsencrypt.org/docs/caa/ may have more information.  One of my CAA records looks like this:
example.com 1799 IN CAA 0 issue "letsencrypt.org"

Unfortunately, I don't know what to make of those handshake failures.  That seems unrelated to caa.

]]> Thu, 05 Jan 2023 14:36:13 +0000 https://dev1galaxy.org/viewtopic.php?pid=40006#p40006 <![CDATA[Re: [SOLVED] SSL Report - What to Fix & Ignore]]> https://dev1galaxy.org/viewtopic.php?pid=40005#p40005 Shutting down for the night but will try this tomorrow ... unless directed elsewhere ...

https://www.linuxbabe.com/ubuntu/dns-over-tls-resolver-nginx

Step 3: Create DNS over TLS Proxy in Nginx

]]> Thu, 05 Jan 2023 03:57:35 +0000 https://dev1galaxy.org/viewtopic.php?pid=40005#p40005 <![CDATA[Re: [SOLVED] SSL Report - What to Fix & Ignore]]> https://dev1galaxy.org/viewtopic.php?pid=40004#p40004 These are the last few lines of output from https://unboundtest.com for CAA.

Jan 05 03:47:24 unbound[729481:0] info: reply from <com.> 192.41.162.30#53
Jan 05 03:47:24 unbound[729481:0] info: query response was ANSWER
Jan 05 03:47:24 unbound[729481:0] info: validated DNSKEY com. DNSKEY IN
Jan 05 03:47:24 unbound[729481:0] info: resolving realupnow.com. DS IN
Jan 05 03:47:24 unbound[729481:0] info: response for realupnow.com. DS IN
Jan 05 03:47:24 unbound[729481:0] info: reply from <com.> 2001:503:d2d::30#53
Jan 05 03:47:24 unbound[729481:0] info: query response was nodata ANSWER
Jan 05 03:47:24 unbound[729481:0] info: NSEC3s for the referral proved no DS.
Jan 05 03:47:24 unbound[729481:0] info: Verified that unsigned response is INSECURE
Jan 05 03:47:24 unbound[729481:0] info: 127.0.0.1 realupnow.com. CAA IN NOERROR 1.528696 0 101
]]> Thu, 05 Jan 2023 03:50:20 +0000 https://dev1galaxy.org/viewtopic.php?pid=40004#p40004 <![CDATA[[SOLVED] SSL Report - What to Fix & Ignore]]> https://dev1galaxy.org/viewtopic.php?pid=40003#p40003 Suggestions as to what I should address vs ignore?

I just ran this free analysis ... https://www.ssllabs.com/ssltest/analyze.html

I'm guessing I need to figure out why DNS CAA isn't being reported ... DNS CAA     No (more info)

Should I just ignore the rest of this?

IE 11 / Win Phone 8.1  R		Server sent fatal alert: handshake_failure
Safari 6 / iOS 6.0.1 	Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1  R		Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9  R		Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4  R		Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10  R		Server sent fatal alert: handshake_failure
]]> Thu, 05 Jan 2023 02:42:38 +0000 https://dev1galaxy.org/viewtopic.php?pid=40003#p40003