New certs will successfully installed on Apache 2.2 but browsers now compain as they are not tls 1.2 compliant:
https://www.ssllabs.com/ssltest/analyze.html?d=mail.gg-law.com&hideResults=on
So, my consultant said we needed to change Apache to use mod_nss instead of mod_ssl to enable TLS.
install mod_nss to the current apache replacing mod_ssl which supports tls 1.2.
However, apache2-mod_nss and dependency mozilla-nss-tools installed fine but the the problem is that someplace along the way in updates the behavior changed.
what is supposed to happen is that the migration script should snag the ssl certs and create a database in /etc/apache2/mod_nss.conf consisting of three files, cert8.db, key3.db and secmod.db but instead it seems that we have newer versions of mozilla-nss-tools which create instead the files cert9.db, key4.db and pkcs11.txt, despite all types of documentation referring to the first version. so I think that the certs are in fact getting imported to the new nss db, and i figured out what to change in the apache config file to tell it to look there for the cert when it starts up, but it fails to start and conveniently leaves no error message other than failed to load. i tried using earlier versions of apache2-mod_nss and mozilla-nss-tools in the hope that it might match the documented behavior but no.
so i'm stuck at this point. Is there anything else I can try here? Bottom line is to get apache2-mod_nss configured and I think we'll be good to go.
Thanks,
Tom
https://www.ssllabs.com/ssltest/analyze.html?d=mail.gg-law.com&hideResults=on
So, my consultant said we needed to change Apache to use mod_nss instead of mod_ssl to enable TLS.
install mod_nss to the current apache replacing mod_ssl which supports tls 1.2.
However, apache2-mod_nss and dependency mozilla-nss-tools installed fine but the the problem is that someplace along the way in updates the behavior changed.
what is supposed to happen is that the migration script should snag the ssl certs and create a database in /etc/apache2/mod_nss.conf consisting of three files, cert8.db, key3.db and secmod.db but instead it seems that we have newer versions of mozilla-nss-tools which create instead the files cert9.db, key4.db and pkcs11.txt, despite all types of documentation referring to the first version. so I think that the certs are in fact getting imported to the new nss db, and i figured out what to change in the apache config file to tell it to look there for the cert when it starts up, but it fails to start and conveniently leaves no error message other than failed to load. i tried using earlier versions of apache2-mod_nss and mozilla-nss-tools in the hope that it might match the documented behavior but no.
so i'm stuck at this point. Is there anything else I can try here? Bottom line is to get apache2-mod_nss configured and I think we'll be good to go.
Thanks,
Tom