I’m using certbot with nginx on Ubuntu. I tested my website on ssllabs.com and it says that my server uses some weak cipher suites.
In particular, the ciphers labeled as “weak” are:
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
I tried disabling these in my nginx.conf, but I realized that certbot is overriding the nginx.conf by including its own in
/etc/letsencrypt/options-ssl-nginx.conf. I can manually change this by either removing certbot’s include in each server or changing this other file directly, but I am wondering if this is intended default behavior for certbot and if these ciphers really are an issue.