A+ 100% blog
I switched to a wildcard cert, and while getting the ACME DNS challenge working[1] I saw Let's Encrypt is removing support for OCSP (in favor of CRL URLs and the coming increasing shortening of cert validity). So I removed my OCSP Stapling and switched the certs, and testing, saw I was down to just an A.
My immediate thought was that SSL Labs was giving more weight to one of those things than I expected, but I was able to test and verify that those weren't the cause. Bewildered, I started just reconstructing my SSL config from scratch (at one point getting an A+ but only 90% Key Exchange and Cipher Strength, which I didn't know was even possible). Finally got to success, compared to the previous config, and saw the problem had been that I had inadvertently removed all the TLS 1.2 ciphers[2], and since TLS 1.3 only is a valid configuration for some uses, it wasn't something that stood out for me in the SSL Labs report.
And now my server config is under version control[3] :)
Something of a hassle since I'm using certbot out of fondness for the EFF, and they are now pushing snaps as the best delivery method and deprecated their PPA, and the dns plugin for my registrar isn't available as a snap. ↩︎
which BTW makes the SSL Labs scan much faster :) ↩︎
Next up, chef or puppet (I already know more ansible than I want to). Ironically, the only at all complex thing pre-blog was the OCSP proxy, now gone. ↩︎