Disable old ciphers in Nginx & Letsencrypt


#1

We are using Nginx & Letsencrypt for one our site. We thought to disable older TLS and Ciphers for that I had modified the /etc/letsencrypt/options-ssl-nginx.conf as following

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS";

Above changes are working but if I do same changes in virtual host config file then I am getting errors like

"ssl_ciphers" directive is duplicate in /etc/nginx/sites-enabled/test.com.conf

My question is, is it recommended to modify /etc/letsencrypt/options-ssl-nginx.conf or do we have any other standard approach for doing this change?


#2
$ head -n 5 /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

Basically, you can modify the file and Certbot will not modify it in future. But you are acknowledging that you are taking full responsibility for all the parameters in this file from that point on.

I have no idea why you would get the duplicate directive error if all you did is modify the ssl_ciphers line - that shouldn’t happen.


#3

Thanks for inputs, is there any other standard approach doing this stuff? and how Certbot confirms that file should not be modified further and will taken care manually?


#4

is there any other inputs for this?