The DNS system is broken. The sorry state of DNS security exposes your server and your end users to a variety of risks. Some of those risks are preventable.
In light of documented TLS vulnerabilities and implementation bugs, understanding known attack vectors becomes a necessity.
Until the day TLS 1.3 becomes widely supported, web servers must rely on a fallback to TLS 1.2 with correctly configured server directives and strong cipher suites. Pick the wrong settings and you declare an open season on your server.
Confused about SSL/TLS certificates? Here is a quick and dirty introduction to SSL/TLS encryption.
Generating SSL certificates when Letsencrypt (what is Letsencrypt, who is behind it, and how the heck can you get started) is available for your system works in a breeze, but what if you need your certificates for a machine that won’t take Letsencrypt (for whatever reason)? It is still possible: you can either grab Letsencrypt from Git, or, for reasons of practicality… create a certificate signing request (CSR) on your target server, transfer it to your letsencrypt instance, generate the certificates you need, then transfer the generated files back to your target instance and install the certificates in your software.