I modified /etc/letsencrypt/options-ssl-nginx.conf on my debian 11 web server. I removed weak ciphers and removed support for TLSv1 and 1.1 and added support for 3.
I did a dry run after to make sure my certs will still renew and it was successful but I got this warning:
/etc/letsencrypt/options-ssl-nginx.conf has been manually modified; updated file saved to /usr/lib/python3/dist-packages/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf. We recommend updating /etc/letsencrypt/options-ssl-nginx.conf for security purposes.
I'm probably misreading it and it's just warning me the options conf file was manually modified which it was, but I'm reading it as saying I need to update the file but I'm not sure what it wants me to do.
Depending on which version of Certbot you're using (up to date or ancient), the bundled options-ssl-nginx.conf should have the configuration you require already.
However, if your Certbot hasn't been updated in a few years and the bundled options-ssl-nginx.conf didn't have support for TLSv1.2 and TLSv1.3 and you manually edited the file, then you're getting that warning. That's to be expected.
My advise is to update Certbot to a recent version with TLSv1.2 support by default and use the bundled options-ssl-nginx.conf.
thanks. it acts as i want it to, i already checked with that website right after making the changes and reloading nginx. i know more recent versions have the tls versions configured as i want but im already running the latest version of the python3 certbot debian package and it was initially installed long ago so it was still using the old options-ssl-nginx.conf file. i could have just purged and reinstalled to get the new one but i didnt want to.