TL;DR you’re never done with Let’s encrypt: once your servers are secure, you must ensure they stay that way.

Let’s encrypt

Let’s encrypt is a no brainer: this initiative benefits us all, with free domain-validated certificates. It’s easy to setup and free. There’s probably automatic installation for your web server of choice, the community behind it can help, and tutorials are everywhere.

Then you head to https://<your domain>.com and you’re done… not.

Just after installing your cert, do this

The default SSL configuration for your webserver may well be suboptimal (or absurdly insecure). Use SSLPing.com to check it: it’s free, takes only 5 seconds, and goes straight to the point.

I strongly recommend the Mozilla SSL server configurator to help you set SSL/TLS options… Use the Intermediate configuration and you should be good to go, with good secure defaults.

You could also use SSL Labs server test for an exhaustive but long check. The end result should be the same: a secure configuration. Now tweet and brag about your A+ rating :-)

What’s next

Setting up SSL/TLS is not a one shot process, it’s a continous one. Just like you’re using Pingdom or another service to monitor uptime, you should ensure your SSL configuration doesn’t becomes bad at some point!

That’s the whole purpose of SSLPing.com.

What it does, for free :

check your servers everyday

check your certificates for expiration, and alert you by email, 10 and 3 days before, and on the expiration date again, only if needed

alert you if the results of the security checks ever change: a change in the parameters you set with Mozilla configurator and your website may not be secure anymore, or even blocked by browsers…

give you a unified view of all your servers and certificates, which is very important if you’re using the same wildcard certificate on many servers (servers proliferation), or if you’re using Letsencrypt with one certificate per server (cert proliferation).

What’s next?

In 3 months, you may receive emails from SSLPing, telling you all your Letsencrypt certificates are about to expire… because you didn’t realize you must renew them every 90 days! This can be automated, but even cronjobs fail sometimes, and they’re difficult to test.

Conclusion

I have been surprised by the frequency of SSL/TLS configuration changes on servers since I started the SSLPing project which happens to send notifications almost everyday: secure servers don’t stay secure for long.