First, Josh , thank you! I have an A+ ssl with SSLLabs. Loving my Mail-in-a-box!
All shows green and OK on my “System Status Checks” page and every SSL check shows good things. I never used a password with my DigitalOcean droplet from the beginging and don’t know what self-signed one it’s talking about. I have a comodo wildcard SSL certificate installed. I have root disabled and an account running sudo separately. Thoughts on what self-signed root cert it’s talking about? tx!
Warnings
BEAST
The BEAST attack is not mitigated on this server.
Root installed on the server.
For best practices, remove the self-signed root from the server.
I’ve checked my ssl against these sites if it helps others out:
The BEAST vulnerability is… complicated. I don’t understand it entirely. Any modern client should be fine because it’s only a problem with clients that only support up to TLSv1 (or SSLv3, but that’s already disabled), and TLSv1 is probably going to be deprecated soon anyway (at which point we’ll probably drop support in Mail-in-a-Box).
The problem with disabling aspects of TLS to prevent vulnerabilities is you also might end up blocking access by old clients that relied on that aspect. So there’s a trade-off between access at all and the risk of an attack. I’m not 100% sure Mail-in-a-Box has the perfect setup w.r.t. this issue, and am totally open to improvements, but the risk is low (since you’re probably using a modern client and you are probably not the target of an active attack).
Your other question was about a self-signed certificate. If everything else is showing OKs, then this is likely because you added your CA’s root certificate into your intermediate chain. CA certs are (typically) self-signed and do not need to be included in the chain because they’re already present in the browser (which is how the browser knows it’s a real CA). SSLLabs should also warn you about this (although possibly with a different but equally unintelligible message).