I’ve got Certbot 0.31.0 on Ubuntu 18.04 (most recent) w/ Nginx. I’m looking to disable TLS 1.0/1.1 but I’m not sure in which configuration file I should do that.
Can I simply edit /etc/letsencrypt/options-ssl-nginx.conf, even though it says it is managed by Certbot and that my changes will be overwritten? Other posts in the forums seem to indicate that I should edit it directly but the files says NOT to do so. Does Certbot really need /etc/letsencrypt/options-ssl-nginx.conf?
Where am I to edit the TLS configuration so I’m on Mozilla Observator TLS Intermediate configuration? https://ssl-config.mozilla.org/
Also, can we add details like this to the official documentation?
That's not quite what it says. However, as it's often interpreted that way, perhaps the wording should be changed to be clearer. I've filed an issue for that.
That file is a suitable place, as most of the parameters will be overlapping.
Thanks for your help and for filing that issue. I do wish the inner workings of certbot were more well documented. For example the /etc/letsencrypt/.options-ssl/nginx.conf isn’t detailed in the documentation.
The same wording issue exists in the sites-available configuration files of the server block(Nginx in my case) which state:
“# managed by Certbot”
I’ve edited those directly but couldn’t find any direct documentation on the correct way to for example add HTTP 2 or anything else to the config without breaking Certbot.
You can add http2 to the listen directive and it won't break anything. Certbot will respect it and won't blow up. But of course, users have no way to know that.
_az Thank you sooo much! I will fiddle w/ enabling HTTP2 and IPV6 later. It would be great if there were more details in the documentation. Even a simple listing of this file does – this function. Edit this to enable blah.
So I can edit Nginx config files directly but it is better to edit options-ssl-nginx.conf. What I’m still not a 100% understanding is if this will cause any issue with Certbot in any way.
You need to understard that that file is there for your convenience only.
If you want to use it, good.
If you want to make your own config, good.
You can edit the file, but editing it will cause certbot not to update it in the future. So, if you want to use certbot’s defaults on one virtualhost, and some customized settings on another, leave the file alone. Otherwise, you can pretty much do whatever you want.