Restarted but it doesn't seem to have changed anything.
Your problem is really nothing to do with LE.
You need to learn how to configure your web server so that it does what you want it to do.
And you can stop issuing more certs - one is enough.
[they are all the same]
[unless you need to add or remove a name on it]
/etc/apache2/mods-enabled/ssl.conf it says:
Would this be where the issue is?
If you have
SSLCipherSuite twice - yes that is an issue.
So if the cipher suit matters only the apache2 side, the cipher suit in the letsencrypt will cause problems?
There should only be one.
Each conflicts with the other.
So do I just comment out the one in letsencrypt options?
This is not a forum for - "how to configure my web server".
I can't say which is better.
That is up to you.
All I can say is, from my personal experience, you can't tell it to do two different things.
Sorry, I will clarify.
Does commenting out the certbot/letsencrypt options cause any problems when it auto renews or anything?
You have renewed 5 times - do you really think that is stopping you?
It only sets with ciphers should be used.
That's not correct. You can set the
SSLCipherSuite multple times. Its allowed contexts are: "server config, virtual host, directory, .htaccess".
With aid of SNI you can set a
SSLCipherSuite directive per
<VirtualHost> block if you'd like. That won't "conflict" with each other.
"Allowed" and "actually do what you ask it" are two different things.
I speak form my personal experiences.
I speak from personal experience too. If you have multiple
SSLCipherSuite directives in VirtualHost blocks, Apache will choose the cipher suites from the
SSLCipherSuite directive from that VirtualHost.
Of course it will ignore "generic"
SSLCipherSuite directives from outside the VirtualHost block.
@Osiris, If you have a wildcard, make four vhosts.
one for ssl
one for tlsv1
one for tlsv1.1
one for tlsv1.2
Tell me if it can do that.
That one isn't going to work due to my OpenSSL not supporting SSL any longer.
OK, what about the other three?
SSLProtocol -all TLSv1.2 and
SSLProtocol -all TLSv1.3 with my other default TLS settings elsewhere it works nicely. Setting
-tls1_3 on the OpenSSL
s_client command line results in a failure when connecting to the Apache
TLSv1.2 VirtualHost (as expected), but not with
-tls1_2. Same goes for the
TLSv1.3 VirtualHost, but obviously failures with
-tls1_2 but not with
It seems Added the "Old" Mozilla SSL Generator
TLSv1.1 don't play very well with my other TLS settings.
SSLCipherSuite directive to those two specific VirtualHost blocks and gee, what'll you know, it works now. TLS1.0 and TLS1.1 only VirtualHost, working like a charm. Not effecting any other VirtualHosts at all.
@Osiris How did you enable TLS1.3? I can't for the life of me figure out how to turn on 1.3
have a look at this series
Exactly the same discussion
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.