Does Certbot really need /etc/letsencrypt/options-ssl-nginx.conf?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lyte.sg

I ran this command: N/A

It produced this output: Showed up in our site configs:

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

My web server is (include version): Nginx 1.14

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Y

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

We have several server block config files for Nginx, all using the same wildcard cert. Recently I noticed an extra line which I did not insert

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

The directives in that file conflicts with the settings we declared in nginx.conf (based on Mozilla SSL config generator https://ssl-config.mozilla.org/#server=nginx&server-version=1.14.0&config=intermediate) Can we just remove the includes? Or will Certbot re-insert them again on next schedule check?

Certbot has what’s called “authenticator” plugins, and “installer” plugins:

  • “Authenticator” plugins automatically configure your webserver to perform challenge validation for issuing certificates.
  • “Installer” plugins add your certificates to your webserver, once Certbot has issued them. It also configures things like ciphersuites based on current practices (which are based on Mozilla’s recommendations).

As the admin of your webserver, you can make a choice about whether you want Certbot to perform the installation of your certificate, or whether you want to do it yourself.

When you run certbot --nginx, that is really saying certbot --authenticator nginx --installer nginx: do both for me.

You can get Certbot to do only the authenticator part, and to leave the configuration of the SSL certificates and settings to you: certbot certonly -a nginx.

In your case, it sounds like you made it do both, when you only wanted the authenticator part.

In your current situation, I believe you should just modify /etc/letsencrypt/options-ssl-nginx.conf to your liking, and remove the redundant settings from nginx.conf. Or you can comment out/truncate the contents of that file, and keep your nginx.conf settings. Either way is fine.

Certbot will avoid overwriting that file if it detects that it has been modified at all. It does this by only updating it if it exactly matches a previous version that shipped with Certbot.

1 Like

In this case, I’d comment out all the directives in options-ssl-nginx.conf since they are redundant. Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.