Do I have to do something after receiving this warning?

I modified /etc/letsencrypt/options-ssl-nginx.conf on my debian 11 web server. I removed weak ciphers and removed support for TLSv1 and 1.1 and added support for 3.

I did a dry run after to make sure my certs will still renew and it was successful but I got this warning:
/etc/letsencrypt/options-ssl-nginx.conf has been manually modified; updated file saved to /usr/lib/python3/dist-packages/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf. We recommend updating /etc/letsencrypt/options-ssl-nginx.conf for security purposes.

I'm probably misreading it and it's just warning me the options conf file was manually modified which it was, but I'm reading it as saying I need to update the file but I'm not sure what it wants me to do.

You can just not use that file and put your own TLS config in your nginx config files :wink:

5 Likes

I still don't get it :upside_down_face:

Hi @dipl0, and welcome to the LE community forum :slight_smile:

Yes:

I'd just check the site with SSL Labs and verify that it is doing what you expect.

5 Likes

Depending on which version of Certbot you're using (up to date or ancient), the bundled options-ssl-nginx.conf should have the configuration you require already.

However, if your Certbot hasn't been updated in a few years and the bundled options-ssl-nginx.conf didn't have support for TLSv1.2 and TLSv1.3 and you manually edited the file, then you're getting that warning. That's to be expected.

My advise is to update Certbot to a recent version with TLSv1.2 support by default and use the bundled options-ssl-nginx.conf.

4 Likes

You can replace the

include /etc/letsencrypt/options-ssl-nginx.conf;

line with

include /etc/nginx/my_own_tls.conf;

and then put whatever you desire in the /etc/nginx/my_own_tls.conf file. Start from here and then read here.

4 Likes

thanks. it acts as i want it to, i already checked with that website right after making the changes and reloading nginx. i know more recent versions have the tls versions configured as i want but im already running the latest version of the python3 certbot debian package and it was initially installed long ago so it was still using the old options-ssl-nginx.conf file. i could have just purged and reinstalled to get the new one but i didnt want to.

1 Like

I understand this now as well as the warning, I was misreading it. I can use my own file instead of that one.

Also, I must say this is a very friendly community. I have reading comprehension problems and am used to being berated when I ask stupid questions like this.

2 Likes

Most (many?) people here are ESL users (myself included), we are literally trained not to expect any level of English language skills. :wink:

3 Likes