Can’t create new certificate on Catalina (10.15.1) because SSL compression is not enabled

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --apache

It produced this output:

sudo certbot --apache


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to


Please read the Terms of Service at You must

agree in order to register with the ACME server at

(A)gree/©ancel: A

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N

Which names would you like to activate HTTPS for?

[ … other sites deleted due to new user limitation ]

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel): 1

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for

Waiting for verification…

Cleaning up challenges

Created an SSL vhost at /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf

Deploying Certificate to VirtualHost /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf

Enabling site /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf by adding Include to root configuration

Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:

Setting Compression mode unsupported; not implemented by the SSL library

Rolling back to previous server configuration…

Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:

Setting Compression mode unsupported; not implemented by the SSL library


- We were unable to install your certificate, however, we

successfully restored your server to its prior configuration.

  • Congratulations! Your certificate and chain have been saved at:


Your key file has been saved at:


Your cert will expire on 2020-03-09. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the “certonly” option. To non-interactively renew all of

your certificates, run “certbot renew”

  • Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

My web server is (include version):

Server version: Apache/2.4.41 (Unix)
Server built: Oct 17 2019 18:04:28

The operating system my web server runs on is (include version):

macOS 10.15.1 (Catalina)

My hosting provider, if applicable, is:

N/A — it’s our own machine

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

There is a similar thread on GitHub from May ( where the answer basically was “we’re looking into it,” with no resolution. Since certbot backs out the configurations and deletes the .conf files, I’m at a bit of a loss for what to do next.

We’re hoping to use Let’s Encrypt for some one-off sites (since it seems that wildcards can only be used via Docker?) where a pesky consultant has convinced the owners that SSL is needed for sites with zero user interaction. We use paid certificates for other company properties and I would prefer not to have to pay $$$ for limited-use certificates if possible. Any suggestions for what to do to work around the SSL Compression problem are welcome.

I would guess that the problem is that your Apache configuration tries to enable SSL compression.

However, for quite some time, SSL compression has been considered a misfeature/dangerous, and not supported in modern SSL.

The solution would be to remove that part of your configuration, and then try again.

Edit: I misread the errors slightly. You need to open /etc/letsencrypt/options-ssl-apache.conf and remove this line:

SSLCompression          off 

This might be worth filing a Certbot bug over too, but I don’t have a macOS environment to try reproduce on.

I don’t enable SSL Compression anywhere. Certbot’s configuration file is at fault:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

Always ensure Cookies have “Secure” set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) "$1; Secure$3$4”

Removing the SSLCompression line is not possible, as certbot recreates the file and reinserts the line every time.

Yes, indeed. I misread initially.

Hmm. It shouldn't do this. Certbot is supposed to detect when that file has been modified manually and avoid re-modifying it.

An “issue” was filed at GitHub in May. Its solution is not helpful because certbot fails to store conf files that can be edited after the fact.

Sadly, this is not the case, as I tried doing just that and certbot happily recreated the original file before failing to complete the install.

I’ve done a poor job of reading your original post carefully. You put the effort in and I skipped past it. Sorry.

Would you be OK with avoiding the “installer” part of Certbot? So having it only issue the certificate, but leaving you to configure it in Apache.

So your workflow would be something like:

sudo certbot certonly -a apache --deploy-hook "apachectl -k graceful" -d

This would leave you with the needed files in /etc/letsencrypt/live/{fullchain,privkey}.pem, which you could combine with the recommended SSL virtual host configuration.

I guess this would be closer to your original workflow where you used paid certificates, but the certificate renewal would continue to be automatic (assuming I’ve identified the right command on macOS for reloading Apache post-renewal).

1 Like

Thank you very much for your helpful suggestions. I was able to get the certificate set up correctly for the site. I haven’t tested the workflow you suggested yet, but as we may have additional single-site certificates to install soon, I will give it a try then.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.