How to make Certbot disable a certain cipher

Question

I am using Let'sEncrypt's Certificates. In an attempt to stay compliant w/ PCI DSS standards, I disabled support for the Triple DES (3DES) cipher in the conf file for nginx. But Certbot then noted that if I manually changed a conf file, it won't automate the cert renewal process. Worse, the certbot's docs does not mention another way to go about disabling certain ciphers and keeping the automation.

Is there a workaround for this? Maybe I can have an additional nginx line that overrides the certbot's settings? Or am I missing something?

Here's my nginx.conf and other conf files in a gist: https://gist.github.com/bluedeck/7a3a8614fe1cc86c1247b8f303ebcdd3

score 1 · Answer 1 · answered Mar 21 '18 at 23:39

1

Maybe not the best way to do this but that's how i renew my certificates.

#!/bin/bash
service nginx stop
certbot certonly --standalone --preferred-challenges http -d mysite.com
service nginx start

and just add it to your crontab.

answered Mar 21 '18 at 23:39

robusto

23
7

How to make Certbot disable a certain cipher

1 Answers1