Reposting this as it was never addressed and now locked:
It would be great if the .org, docs, or this site kept an (updated) recommended configuration file for various web servers (e.g. which protocols/etc should be enabled). This could probably mirror what certbot is automating, but surfacing it in a way that people using ‘certonly’ or those interested in the configuration specifics can reference.
If certbot already does this, interested parties should just look at the source or documentation there.
Tracking identical data in multiple places rarely works long-term.
That requires someone to have a working knowledge of Python – which certbot is written in and not guaranteed to the target audience of end-users.
A large number of posts in this forum, and on StackOverflow, have to do with people asking for information like this.
The information could be centrally tracked/managed (within certbot, elsewhere?) and exposed in a readable format to end-users as part of build scripts.
Configuration at this level is often specialized to the environment. I don’t see that Let’s Encrypt could provide a solid job at this type of thing.
I personally recommend looking at https://mozilla.github.io/server-side-tls/ssl-config-generator/ if you want a good starting point for best-practice configuration of encryption ciphers, protocols, etc.
If you’re using IIS, I personally recommend using https://www.nartac.com/Products/IISCrypto/ for configuration there.
letsencrypt could do a stellar job at this, as they already do. certbot does this for the automatic installs (via apache/nginx).
i’m talking about printing what the plugin does (ie recommended) into the docs.
Based on the code, it looks like they’re using the “intermediate” configuration from the Mozilla config generator for Apache HTTPd.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.