www.nusmods.com and api.nusmods.com have invalid TLS certificate

[ZhangYiJiang]

It should be possible to configure the Let's Encrypt certificate to cover both of these. The former is important for API access over HTTPS, the latter for people trying to access https://www.nusmods.com (the browser will try to check the cert before redirection, and it'll fail as shown above).

[ZhangYiJiang]

Also, while we're at it, nusmods.com gets a B grade from https://www.ssllabs.com/ssltest/analyze.html?d=nusmods.com. The report has a few recommendation which are worth following when updating the SSL configs

[Syakyr]

This may be a 4 month old issue, but I'll leave this here for the sysadmin should he/she wishes to increase the security of the site.

The grade has been capped to B due to the Diffie Hellman (DH) ciphers being vulnerable to LogJam attacks. While the server may not hold sensitive and important information that attackers with nation-state capabilities would want to compromise it, it still a good practice to change the DH ciphers, especially if a log in system is to be implemented in the future.

Here're 2 sites that gives info on how to increase security using nginx config:

• https://scaron.info/blog/improve-your-nginx-ssl-configuration.html
• https://github.com/agarzon/nginx-config/blob/master/templates/ssl.conf

I suggest to use the GitHub conf as the base, and add the SSL ciphers and dh params from the 1st site.

[thebengeu]

Let's Encrypt wildcard certs are coming in Jan 2018, which should make it more convenient to cover all subdomains: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html.

[ZhangYiJiang]

Closing in favor of #708