Hi
I’m still tweaking the SSL setup of wy new Virtualmin server to be at best possible but I found that: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
Is someone aware of that ? Virtualmin doesn’t handle CAA records in DNS, I guess I can still add it manually but is it legitimate ? Didn’t find much infos about that on the net !
Thanks
Vincèn
oki found the answer by myself and so edited Bind template in my virtualmin to include by default in all new zones these two records:
${DOM}. IN CAA 0 issue “letsencrypt.org”
${DOM}. IN CAA 0 issuewild “;”
Hi vincen.
This is news to me.
Currently i have a box with 2 domains on it and https, works fine. But, no i didn´t know this.
Where did you edit this?
Webmin -> Bind DNS Server -> and than?
Edit Config File? and than add this line beneath these lines?
include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;
Hoping to hear from you again.
regards,
Paco
No no, you have to add it in Bind template for zone !
Virtualmin -> System Settings -> Server Templates -> Default Settings -> BIND DNS Domain
In the first field "BIND DNS records for new domains you add the two lines I indicated and you save !
You have also to remove all ciphers that are 128bits or less in your Apache config and then you should get A grade on that test like me:
And with the last tweaks became A+, woouhouu 
Dear vincen.
many thanks for the tip. Now i also have a A- certificate. which is quite great. But I am also intrested in obtaining a A+ certificate 
do to my domain -> Services -> Configure Website for SSL and where it says SSL protocols I see that TLSv1. is marked.
But when I do what you say the apache doesn´t start
You have also to remove all ciphers that are 128bits or less in your Apache config and then you should get A grade on that test like me:
log in to webmin - webmin panel - Apache Webserver - click on the virtual server you want to change - in the new screen click on ‘edit directives’ - put your changes in there and restart Apache
I have this: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
When i leave it in : SSLProtocol TLSv1
as said, the apache doesn´t restart. when restoring the line everything works again.
Can you please let me know what I might be doing wrong?
Many thanks in advance…
Regards,
Paco
You should check the error when you try to restart Apache and it doesn’t want ! You are probably missing some modules not activated in Apache or not installed because normally only TLS 1.2 should be active, everything else off !!
I added also these directives to make it more secure in ssl.conf of Apache (be careful to activate the headers module in Apache first or you won’t be able to restart Apache after modifications !
SSLHonorCipherOrder on
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
Hi there.
Just send you an email for a bit more help. IF you are free/avaiable.
Hoping to hear from you.
Regards,
Paco
Made a tutorial explaining whole process, hope it can help
https://www.virtualmin.com/node/52164
You should really enable TLSv1 and 1.1 otherwise you will cut out good amount of devices, especially mobile one.
TLS 1 and 1.1 are now considered as weak so they should not be activated ! It’s not because lot of outdated and insecure devices are in the field that you should continue to use outdated and weak protocol no ?
I’m using it on all websites of my clients and still get A+ score, so definitely they are not obsolete. Some things i like to push to the never versions (e.g. PHP) but some is better to hold the middle ground. I dont really want to cut XX% of mobile/tablet users especially when it comes to more serious/demanding clients.
Plus depends on your configuration if TLSv1.0 and 1.1 will be secure or not, what chipper and so on. For example if nothing changed IE 7-10 dont support 1.1 by default and only IE 11 have this enabled. Who knows how many mobile phones and tablets have same situation. This are pretty big numbers to be so easy cut off from your website (especially from your clients). Balance is the key word here.
Only reason to disable TLSv1.0 would be PCI compliance, still you can use other two without any problem.
I’m considering nominating this for the “Best post on this forum” award! Thanks so much.
I used:
mysite.com. IN CAA 0 issue "letsencrypt.org"
mysite.com. IN CAA 0 issuewild ";"
Rather than:
mysite. IN CAA 0 issue "letsencrypt.org"
mysite. IN CAA 0 issuewild ";"
Note the added .com. I did this to match the other entries in my BIND DNS record.
Can you please let me know if this is appropriate and safe behaviour?