Can't seem to enable TLS1.3

Help
1

My web server is (include version): Apache 2.4.46

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I can't seem to enable TLS 1.3.

I have set

SSLProtocol -all +TLSv1.2 +TLSv1.3

in all of the following

/etc/apache2/mods-enabled/ssl.conf
/etc/apache2/sites-enabled/website.com-le-ssl.conf

And the /etc/letsencrypt/options-ssl-apache.conf shows

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLHonorCipherOrder on

SSLCompression off

2

I don't see any TLSv1.3 ciphers in there.
Please show:
openssl ciphers
openssl version

3

openssl ciphers

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

openssl version

OpenSSL 1.1.1 11 Sep 2018 (Library: OpenSSL 1.1.1g 21 Apr 2020)

4

Add the first three to your list.

5

Do I just add it to the end of cipher in?

'/etc/letsencrypt/options-ssl-apache.conf'

6

It might go in preference order, so add them at the front.
[separated by ":"]

7

Would I need to include that anywhere else by chance?

8

Only if you have another SSLCipherSuite statement in your code.
But that should only appear once for the entire server.
So if you find any others, making them match isn't really the best solution.

9

Not that I know of. I added the cipher to and re-issued the cert but it doesn't seem to have worked. I will have to wait for another week to try again I think since I have issued 5 certs testing things out already. Thanks for you help so far! <3

10

You don't need to reissue the cert to change your TLS settings.
Just restart, or reload, the web service.

1 Like
11

There is a staging (TESTING) environment for such things.

12

Restarted but it doesn't seem to have changed anything.

13

Your problem is really nothing to do with LE.
You need to learn how to configure your web server so that it does what you want it to do.

And you can stop issuing more certs - one is enough.
[they are all the same]
[unless you need to add or remove a name on it]

14

In /etc/apache2/mods-enabled/ssl.conf it says:

SSLCipherSuite HIGH:!aNULL

Would this be where the issue is?

15

If you have SSLCipherSuite twice - yes that is an issue.

16

So if the cipher suit matters only the apache2 side, the cipher suit in the letsencrypt will cause problems?

17

There should only be one.
Each conflicts with the other.

18

So do I just comment out the one in letsencrypt options?

19

This is not a forum for - "how to configure my web server".
I can't say which is better.
That is up to you.

All I can say is, from my personal experience, you can't tell it to do two different things.

20

Sorry, I will clarify.

Does commenting out the certbot/letsencrypt options cause any problems when it auto renews or anything?