So, just finished up getting SSL working on this new site using Let’s Encrypt and certbot. I had to hack /etc/hosts to point back to the internal IP as I was getting hit with hairpinning but once I got that sorted, certbot worked as expected. I had to make a couple manual configuration changes to the apache virtual host file to get the correct certificate files and added the following to enhance security, really disabling insecure cypher suites. Got the A+ at https://www.ssllabs.com/ssltest/analyze.html?d=andrewkrull.com so I am going to go with good for now on that front. Security is an ongoing thing so I will be taking another look at this in the next couple days.
SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 #SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder On Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header set X-Frame-Options DENY Header set X-Content-Type-Options nosniff