Increasing SSL security

Last updated: April 4th 2021

Please Note: The information below is dated and is only relevant for old servers running Xenial and Bionic which have not been updated in a long time. Since about mid 2019 all Webdock stacks have received an A rating and no longer support TLS v1.0 and weak ciphers as this became the new default configuration in Let's Encrypt.Webdock does not modify default webserver or Certbot behavior when you install LetsEncrypt certificates with Webdock. We simply call the Certbot CLI without any specific security options and it takes the config from there. 

This means that Webdock webservers will be maximally compatible and thus will support older protocols and weak ciphers.

To test your LetsEncrypt certificate in detail, you can start with running the SSLabs SSL Server Test:

https://www.ssllabs.com/ssltest/index.html

You will discover that the server supports TLS v1.0 and weak ciphers such as DES and CBC3.

If you operate a web shop and gather payment information, you should be aware that the international security standard PCI DSS (Payment Card Industry Data Security Standard) requires you to use the newer versions of the TLS protocol (TLS 1.1 or TLS 1.2) no later than July 1st 2018, since TLS 1.0 is outdated and poses a security risk.You can increase your certificate security and choose to modify your webserver configuration by editing the Certbot defaults located at:

Apache:

/etc/letsencrypt/options-ssl-apache.conf

Nginx:

/etc/letsencrypt/options-ssl-nginx.conf

You can edit these files by using the Edit Config Files page for your server in the Webdock Dashboard. To find the correct configuration for these files, we recommend you use the Mozilla SSL Config Generator:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

Remember to reload your webserver config by deploying and running the Reload Web Server Config script on the Server Scripts page for your server in the Webdock Dashboard.

In addition, you can choose not to use the Webdock control panel to generate your certificates, and use Certbot CLI directly on your server. Please refer to the Certbot documentation for certificate specific security settings.

Please be aware that if you use a more modern SSL profile you may loose support for e.g. older Internet Explorer versions. You should investigate the consequences of your configuration before deploying any enhanced security.

If you are not sure how to do all of this, be in touch with Webdock support and we will help you out :)