I was getting a B rating when testing my newly Let’s Encrypted site with Qualys SSL Labs.
The solution was to add a strong DH group to NGINX (already had the correct SSL ciphers in the global nginx.conf).
SSH into your server and run the following command to generate secure Diffie Hellman parameters.
sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048
You will get the following displaying in your terminal
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................+.............+.....................+..
Next you need to edit your global NGINX config.
sudo nano /etc/nginx/nginx.conf
Add the following line in with the other ssl options.
ssl_dhparam /etc/nginx/dhparams.pem;
Save and exit, then once back at the command line, check you haven’t made any typos, by checking the config.
sudo nginx -t
If everything is okay, you should see the following almost instantly.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
If you get any errors, edit the file again and check for missing semicolons or other errors, save and check the config again until it’s correct.
Once the check passes, restart nginx.
sudo systemctl restart nginx
This should take only a few seconds for most small sites.
Now run the SSL test again and you should hopefully be seeing an A result!