SSL Labs – reach 100% overall

The path to your config files may differ depending on your Linux distribution.

In /etc/letsencrypt/options-ssl-apache.conf you should use these Parameters to reach a 100% overall on SSL Labs check. If possible include TLS 1.3 also. In 2020 TLS 1.0 and TLS 1.1 will win you errors in your favorite browser if you still allow them. These old versions of TLS are announced deprecated in 2018.

SSLEngine                         on
SSLProtocol                       -all +TLSv1.2 +TLSv1.3
SSLCipherSuite                    ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder               on
SSLCompression                    off
SSLOptions                        +StrictRequire
SSLSessionTickets                 off
SSLUseStapling                    on
SSLStaplingResponderTimeout       5
SSLStaplingReturnResponderErrors  off
SSLStaplingCache                  shmcb:/var/run/ocsp(128000)
SSLOpenSSLConfCmd                 ECDHParameters Automatic

In /etc/apache2/sites-available/000-default-le-ssl.conf use fullchain.pem instead of cert.pem for full chain of trust. Otherwise you downed to B by not providing the full chain of trust.

ServerName [your servers name or FQDN]
SSLCertificateFile /etc/letsencrypt/live/yourFQDN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourFQDN/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf