I maintain several websites that use Certbot. The Qualys SSL Labs SSL Server Test has historically graded them as A+, but recently the grade has changed to B:
"This server supports TLS 1.0 and TLS 1.1. Grade capped to B. "
I could disable those protocols. For Apache, it would seem to require changing the SSLProtocol line in /etc/letsencrypt/options-ssl-apache.conf. But that file warns: “If you modify this file manually, Certbot will be unable to automatically provide future security updates.”
So, how can you disable TLS 1.0 and TLS 1.1, but still get configuration updates from Certbot? Will Certbot disable these obsolete protocols in the near future? Any advice would be appreciated.