To hide web server version number, server operating system details, installed Apache modules and more, open your Apache web server configuration file using your favorite editor:

$ sudo vi /etc/apache2/apache2.conf        #Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf       #RHEL/CentOS systems 

And add/modify/append the lines below:

ServerTokens Prod
ServerSignature Off 


I replaced the Godaddy certificates and this error came up.  After trying even restoring the entire VM. The solution was simple:  sudo a2ensite default-ssl.conf.  It somehow got disabled. 

If Fortinet name appears in SSLLab scans and you get a T.

When changing certificates on the 60E make sure the SSL/SSH Inspection Deep Certificates do have the actual certificate listed on each entry or you will get Fortinet coming up in SSLLab scans

This will put the repository to get to the latest version of Apache 2.

sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2

Enable SSL on Apache2

sudo a2enmod ssl
sudo a2enmod headers

sudo a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm

sudo service apache2 restart

See sections on OCSP Stapling and DNS CAA for more information.

Final sites-available configuration file

# OCSP Stapling
SSLCryptoDevice dynamic
SSLStaplingCache shmcb:/var/log/apache2/
SSLSessionCache shmcb:/var/log/apache2/

Mutex file:/var/log/apache2/ ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin

Redirect permanent /

Redirect permanent /

Redirect permanent /

Redirect permanent /

Redirect permanent /

Redirect permanent /
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”

Redirect permanent /
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”

DocumentRoot /var/www/

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/xxxxxx.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxxxx.key
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
SSLOpenSSLConfCmd DHParameters “/etc/apache2/ssl/dhxxxxx.pem”
SSLOCSPEnable on
SSLUseStapling on
SSLOCSPResponseMaxAge 900
SSLOCSPResponseTimeSkew 300
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
# Header set Set-Cookie HttpOnly;Secure: WordPress won’t work
Header set X-XSS-Protection “1; mode=block”
Header set Referrer-Policy “origin”
ErrorLog /var/log/apache2/
CustomLog /var/log/apache2/ combined

## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2

SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

## Permission for our DocumentRoot ##

Options Indexes FollowSymLinks
AllowOverride All

SSL rating for this site


My servers only support tls1.2 and tls1.3.  They can’t fall back to TSL1.1 or earlier.  I found this string from that tests for it.  

openssl s_client -connect -fallback_scsv -no_tls1_2
140092949538112:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 134 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.1
Cipher : 0000
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1590750080
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

SSL alert number 70 is The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.