Conflicting ssl_ciphers

treadnought · November 13, 2022, 5:01am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blueknobrfb.appylanding.net

I ran this command: certbot

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Could not install certificate
Problem in /etc/nginx/sites-enabled/blueknobrfb.appylanding.net: tried to insert directive "['ssl_ciphers', '"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"']" but found conflicting "['ssl_ciphers', 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384']".
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0

rg305 · November 13, 2022, 5:04am

Hi @treadnought, and welcome to the LE community forum

Let's have a look at this file:

That is very strange!
The two are identical.

treadnought · November 13, 2022, 5:05am

That's what's confusing me!

treadnought · November 13, 2022, 5:07am

From the sites-enabled directory:

lrwxrwxrwx  1 root root   54 Nov 12 08:46 blueknobrfb.appylanding.net -> /etc/nginx/sites-available/blueknobrfb.appylanding.net

That's a symlink isn't it

rg305 · November 13, 2022, 5:08am

Yes.
But you should be able to show it nonetheless:
cat /etc/nginx/sites-enabled/blueknobrfb.appylanding.net

treadnought · November 13, 2022, 5:09am

root@hidden-briars:/etc/nginx/sites-available# cat blueknobrfb.appylanding.net
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/blueknobrfb.appylanding.net/before/*;

server {
    listen 80;
    listen [::]:80;
    server_name blueknobrfb.appylanding.net;
    server_tokens off;
    root /home/forge/blueknobrfb.appylanding.net/public;

    # FORGE SSL (DO NOT REMOVE!)
    # ssl_certificate;
    # ssl_certificate_key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/blueknobrfb.appylanding.net/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/blueknobrfb.appylanding.net-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/blueknobrfb.appylanding.net/after/*;

rg305 · November 13, 2022, 5:11am

Looks like it might be a bug.
Can you try without line?:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

rg305 · November 13, 2022, 5:13am

Also, what is this all about?:

treadnought:

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/blueknobrfb.appylanding.net/before/*;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/blueknobrfb.appylanding.net/server/*;

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/blueknobrfb.appylanding.net/after/*;

treadnought · November 13, 2022, 5:35am

I'm running Laravel Forge on a VPS, I read and obey all its commands

rg305 · November 13, 2022, 5:38am

But are there any SSL related lines in any of that?

treadnought · November 13, 2022, 5:50am

I removed the lines beginning ssl_ciphers and ssl_dhparam and the install worked. Thanks very much for your assistance

system · December 13, 2022, 5:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Err_cert_common_name_invalid Help	13	1138	April 3, 2020
Certbot Invalid response from Help	4	668	March 31, 2022
Take the certifikate Help	4	414	August 27, 2023
I domain was blocked to receive LET"S Encrypt SSL Help	7	677	April 22, 2020
Ssl_error_no_cypher_overlap Help	7	895	January 11, 2023

Conflicting ssl_ciphers

Related topics