Does your site get a lot of traffic?
As https://trac.nginx.org/nginx/ticket/621 explain, this message is harmless. It won't cause errors for visitors. Instead, affected returning visitors would take a small efficiency penalty from not having SSL session resumption.
You could modify /etc/letsencrypt/options-ssl-nginx.conf and alter the following lines (bigger cache, or lower timeout, or both):
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
and then reload nginx. But keep in mind if you change this file, then Certbot won't apply automatic updates to it anymore. You'll have to keep it up to date manually.
Tuning these is tricky; there don't seem to be any concrete answers for "what values should I use when I get x SSL clients per day?". There seem to be some performance and security implications either way. To further complicate things, TLS 1.2 and TLS 1.3 differ with this specific configuration (session ID resumption only for the former, stateful tickets for the latter).
Some background reading:
- https://github.com/mozilla/server-side-tls/issues/198
- https://github.com/certbot/certbot/issues/7089
-
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html (
SSL_OP_NO_TICKET)
tl;dr; Maybe try increase ssl_session_cache by 2x or 3x and see if the problem goes away?
@schoen you always have a pretty impressive grasp on big picture cryptography, what do you think about tuning in this case?