3

I recently set up a site with certbot --nginx -d <domain>. In /etc/letsencrypt/options-ssl-nginx.conf, I added TLSv1.3 to the ssl_protocols directive. However, when I visit the site (Chrome 68), the security tab shows TLSv1.2. I tested the site with ssllabs.com, which also showed only TLS versions 1.0-1.2 enabled.

I don't see any errors in journalctl -u nginx.service | grep -i tls or grep -i tls /var/log/nginx/*.log.

How could I troubleshoot this issue? I've checked all my config files and all my log files and haven't found the source of (or any information about) the problem.

Software info:

  • certbot 0.23.0
  • nginx version: nginx/1.14.0 (Ubuntu)
  • OpenSSL 1.1.0g 2 Nov 2017
  • Ubuntu 18.04
  • Linux 4.15.0-20-generic x86_64

Site config (generated by certbot): https://hastebin.com/oragojozol.nginx

/etc/letsencrypt/options-ssl-nginx.conf: https://hastebin.com/cepalomisi.nginx

RalphORama
  • 293
  • 1
  • 3
  • 6

3 Answers3

5

OpenSSL 1.1.0g 2 Nov 2017

I did not even look at the rest of what you are doing but OpenSSL 1.1.0 simply does not support TLS 1.3 yet. TLS 1.3 is support starting with OpenSSL 1.1.1 only. See Using TLS1.3 With OpenSSL for more information.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Ah, the one thing I didn't double-check. Thanks very much – RalphORama May 20 '18 at 04:15
  • I have same issue but I am using latest versions `nginx version: nginx/1.15.8 built by gcc 8.2.0 (Alpine 8.2.0) built with OpenSSL 1.1.1a 20 Nov 2018` –  Feb 01 '19 at 13:53
  • @simbolo: What you have is obviously a different question which needs a different answer. New questions should be asked as actual questions and not as a comment to an existing question or answer. – Steffen Ullrich Feb 01 '19 at 14:02
1

I wondered for half an hour why my Nginx on Ubuntu Eoan (N 1.16.5, OpenSSL 1.1.1c) still worked over TLSv1.2 and wandered over the web for possible causes, and found a note to inspect a Certbot file particularly helpful.

Look into /etc/letsencrypt/options-ssl-nginx.conf. It contains this line:

ssl_protocols TLSv1.0 TLSv1.1 TLSv1.2;

Because this file is (usually) included at a server block level, it takes precedence over whatever you have set at http block level.

If you have a ssl_protocols in your http block, it's safe to just delete that unwanted line from the file like me. Then my settings went into effect after a reload.

# /etc/nginx/nginx.conf
ssl_protocols TLSv1.2 TLSv1.3;

root@iBug-Server:/etc/nginx # nginx -tq && nginx -s reload
# Or use `systemctl reload nginx.service`
iBug
  • 1,212
  • 2
  • 13
  • 23
0

Until Ubuntu release its default update for it, you can use TLSv1.3 via Ondrej Sury PPA which is recently updated.

Basically, you will need to add his PPA nginx and nginx-qa repositories, remove default nginx and install his PPA nginx and openssl as follows:

sudo add-apt-repository ppa:ondrej/nginx-mainline
sudo add-apt-repository ppa:ondrej/nginx-qa
sudo apt-get update; #This is not needed in Ubuntu 18.04
sudo apt-get -y remove nginx; #If you already installed default Nginx
sudo apt-get -y install nginx openssl

I explained the steps for manual installation of openssl 1.1.1 at HowToForge but using the above mentioned PPA is easier and safer.

Hj Ahmad Rasyid Hj Ismail
  • 1
  • 1