Do I need: Include /etc/letsencrypt/options-ssl-apache.conf in my apache.conf file

Issuance Tech
1

Hi,

I see I have the following line in my apache vhosts file:
Include /etc/letsencrypt/options-ssl-apache.conf

Do I need this to successfully renew my certificates?

My vhost file is strict on TLS:
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM

But the Include has much lower level of TLS:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES25
6-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:EC
DHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-
DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off

Clearly I don’t want to lower my encryption requirements.

Can I # the Include line and still safely renew my certs?

Thanks.

1 Like
2

You can do without it.
But you may need to include similar statements elsewhere.
Primarily:
SSLEngine on

1 Like
3

Thank you. Yes, the full SSL entries are:
SSLEngine on

<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
SSLCompression off

1 Like
4

Hi @castletonroad,

The purpose of continuing to include this is so that the Certbot team can keep you up-to-date with defaults recommended by experts in the future. If you’ve made your own deliberate configuration changes and want to be responsible for maintaining your TLS options, you can feel free not to include the file (or to change its contents). Certificate renewals should work just fine without it.

1 Like
5

@shoen

I don’t need to cater for lower encryption levels (and backward compatibility) on my site, so would like to exclude this file. Thanks very much for confirming that this is OK.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.