How to Get an 'A' Rating From Qualys SSL Labs if Your DNS Is Cloudflare and You Use OpenLiteSpeed as Your Wordpress Web Server
By default, when you setup a WordPress site using OpenLiteSpeed (https://openlitespeed.org), you’ll get a “B” rating in Qualys SSL Labs SSL test at https://www.ssllabs.com/ssltest/. And even if you setup your minimum TLS version on Cloudflare to be TLS 1.2, Qualys reports your website still uses TLS 1.1. The following steps allow you to fix the certificate issue and get an “A” rating.
Steps
-
Ensure you’re setup to use TLS 1.2 as the minimum version on CloudFlare. Go to your domain name in CloudFlare –> SSL/TLS –> Edge Certificates –> Minimum TLS Version –> TLS1.2.
-
SSH to your server where you website is hosted. Open the OpenLiteSpeed port by typing
sudo ufw allow from YOUR_IP to any port 7080
. (This command works for Ubuntu.) -
Go to the OpenLiteSpeed Server browser at https://YOUR_SSH_SERVER_IP:7080 from your own machine. Login.
-
Go to “Virtual Hosts”, select your webserver –> SSL –> SSL Protocol. Edit to add these: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
Turn on Enable ECDH Key Exchange and Enable DH Key Exchange ().
-
Save.
-
Graceful Restart.
-
Run SSL labs test. Your site should get an “A” now, instead of the original “B”.
Post work and cleanup
- Remove the firewall rule now by typing
“sudo ufw delete allow from YOUR_IP to any port 7080”
. (This command works for Ubuntu.) - Logout of https://YOUR_SSH_SERVER_IP:7080
- Check if there are any other ports open by running
sudo ufw status
on the terminal of your SSH server. Apart from port 80 and 443, there should not be any. - Logout of your SSH server.
🔵