2

SSL test capped my result to B because of enabled TLS 1.0 and 1.1. I know I should add such line to my config: ssl_protocols TLSv1.2 TLSv1.3;

This is my minimized config:

server {
    root /var/www/mezinamiridici.cz/html;  
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot    
    ssl_protocols TLSv1.2 TLSv1.3;    
    ssl_certificate /etc/letsencrypt/live/mezinamiridici.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mezinamiridici.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

But there is an error:

2021/03/19 20:19:44 [warn] 32195#32195: duplicate value "TLSv1.2" in /etc/letsencrypt/options-ssl-nginx.conf:10

coming probably of this Lets Encrypt config located at /etc/letsencrypt/options-ssl-nginx.conf:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;  
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

I tried to move my line above or below that import without luck. Is there a way to coexist both configurations?

Leos Literak
  • 305
  • 4
  • 13
  • Interesting topic to read thoroughly later https://community.letsencrypt.org/t/disabling-tls-1-0-and-tls-1-1/112816 – Leos Literak Mar 19 '21 at 21:37
  • I copied the file https://github.com/certbot/certbot/blob/v1.2.0/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf because my Debian does not have an upgrade of certbot. – Leos Literak Mar 20 '21 at 20:07

1 Answers1

0

You have ssl_protocols defined both in the NGINX conf and in the letsencrypt conf. Consolidate that to one place and then adjust the values you want in that single spot. I'd recommend put it in the letsencrypt conf only.

Ackack
  • 989
  • 5
  • 11
  • The problem is that LE file must be there and it shall not be edited. – Leos Literak Mar 20 '21 at 09:11
  • Well, that's a problem - 1) because you have double ssl_protocol declarations, which nginx doesn't like, and 2) because that file declares it will allow TLSv1 and TLSv1.1. The solution is to consolidate and remove those two entries, period. – Ackack Mar 20 '21 at 14:04
  • This is something I have been aware from the beginning. Your answer is obvious. I need to find a workaround for let's encrypt which is a root cause and states i shall not modify it's file. – Leos Literak Mar 20 '21 at 18:16
  • Just because you don't like reality doesn't mean you can substitute your own. Even reading certbot's actual support forums, you can see that the answer I supplied is in-line with their recommendations - [for instance, here's one of Certbot's engineers recommending exactly what I told you in the supplied answer.](https://community.letsencrypt.org/t/remove-support-for-tls-1-0-1-1-in-nginx/88924/11) – Ackack Mar 20 '21 at 18:34