Better SSL than Google? Let’s Encrypt is Good!

I was rather shocked.

After moving the server into Google Cloud, I decided to see what the SSL testing by SSL Labs would say about it. I secure all of my servers with the Let’s Encrypt program sponsored by the EFF and others.

I was use to getting a score of A with their test. Today though, the results came up A+. I have never seen SSL Labs give out an A+ score before. Not even to Google.

SSL Lab results for www.google.com showing a grade of A — SSL Lab results for www.google.com

SSL Lab results for www.lupecode.com showing a grade of A+ — SSL Lab results for www.lupecode.com

The results for www.lupecode.com on SSL Labs.

Right at the top in the blue bar, it states that Lupe Code only “works only in browsers with SNI support.” On Google’s in place of the blue bar is an orange bar that states that the “intermediate certificate has an insecure signature.” The green metric bars in the middle right, next to the letter grade, show the same scores for the categories. So, what is the difference, how did I get an A+? Is it the blue/orange bar difference? It is not the only one.

Let’s talk about how I got the A+ rating.

You won’t believe this, I did nothing special. Literally. I set up a new server in GCE (Google Compute Engine). I used Ubuntu 16.04 LTS. Installed PHP7.2, MySQL 5.7, and Apache 2. Installed CertBot, which is Let’s Encrypt’s automated SSL generation application.

Here is the script that I ran to do all of that. You can run this too, just do so as root.

#!/usr/bin/env bash
#Add the new repos
echo 'Updating the repositories.'
apt-get update
apt-get upgrade
add-apt-repository -y ppa:certbot/certbot
add-apt-repository -y ppa:ondrej/php
apt-get update
#Install Apache2
echo 'Installing Apache2.'
apt-get install -y apache2 apache2-bin apache2-data apache2-utils
a2dismod mpm_event
a2enmod mpm_prefork 
#Install Certbot
echo 'Installing CertBot.'
apt-get install -y apt-transport-https software-properties-common python-certbot-apache python-software-properties
#Install PHP
echo 'Installing PHP.'
apt-get install -y php7.2 php7.2-cgi php7.2-cli php7.2-curl php7.2-gd php7.2-gmp php7.2-json php7.2-mysql php7.2-xml libapache2-mod-php7.2  php7.2-mbstring php7.2-soap php7.2-zip php7.2-xsl php7.2-bcmath php7.2-bz2 php7.2-common
#Install MySQL
echo 'Installing MySQL.'
apt-get install -y mysql-server

#!/usr/bin/env bash

#Add the new repos

echo 'Updating the repositories.'

apt-get update

apt-get upgrade

add-apt-repository -y ppa:certbot/certbot

add-apt-repository -y ppa:ondrej/php

apt-get update

#Install Apache2

echo 'Installing Apache2.'

apt-get install -y apache2 apache2-bin apache2-data apache2-utils

a2dismod mpm_event

a2enmod mpm_prefork

#Install Certbot

echo 'Installing CertBot.'

apt-get install -y apt-transport-https software-properties-common python-certbot-apache python-software-properties

#Install PHP

echo 'Installing PHP.'

apt-get install -y php7.2 php7.2-cgi php7.2-cli php7.2-curl php7.2-gd php7.2-gmp php7.2-json php7.2-mysql php7.2-xml libapache2-mod-php7.2 php7.2-mbstring php7.2-soap php7.2-zip php7.2-xsl php7.2-bcmath php7.2-bz2 php7.2-common

#Install MySQL

echo 'Installing MySQL.'

apt-get install -y mysql-server

After I set up the DNS to point www.lupecode.com to this server, and created the virtual host in Apache, I just ran certbot with this command:

certbot --apache --quiet --redirect --hsts --domain "www.lupecode.com"

1	certbot --apache --quiet --redirect --hsts --domain "www.lupecode.com"

That was it. I really did nothing special. Let’s Encrypt must have their game together.

Here are the full page images showing all of the details, for the curious.