Disable old ciphers in Nginx & Letsencrypt

DMahesh · January 22, 2019, 10:33am

We are using Nginx & Letsencrypt for one our site. We thought to disable older TLS and Ciphers for that I had modified the /etc/letsencrypt/options-ssl-nginx.conf as following

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS";

Above changes are working but if I do same changes in virtual host config file then I am getting errors like

"ssl_ciphers" directive is duplicate in /etc/nginx/sites-enabled/test.com.conf

My question is, is it recommended to modify /etc/letsencrypt/options-ssl-nginx.conf or do we have any other standard approach for doing this change?

_az · January 22, 2019, 10:40am

$ head -n 5 /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

Basically, you can modify the file and Certbot will not modify it in future. But you are acknowledging that you are taking full responsibility for all the parameters in this file from that point on.

I have no idea why you would get the duplicate directive error if all you did is modify the ssl_ciphers line - that shouldn’t happen.

DMahesh · January 22, 2019, 10:43am

Thanks for inputs, is there any other standard approach doing this stuff? and how Certbot confirms that file should not be modified further and will taken care manually?

DMahesh · January 23, 2019, 10:43am

is there any other inputs for this?

system · February 22, 2019, 10:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with nginx and letsencrypt Server	4	1942	July 21, 2016
How to enable TLS 1.3 in nginx configuration? [SOLVED] Help	10	12176	November 18, 2020
Requesting specific old ciphers for TLS certificates Help	15	1077	November 29, 2023
SSL Cipher suites settings in Nginx webserver Help	3	1514	June 2, 2021
How to remove some ciphers Server	12	5111	May 24, 2018

Disable old ciphers in Nginx & Letsencrypt

Related topics