Generating options-ssl-nginx.conf and ssl-dhparams in certonly mode

Hello, I'm using nginx within docker, so I've installed certbot on the host machine and used certbot certonly along with the dns-digitalocean plugin to generate my certs. It's working well, except I get a B rating on ssl labs. I believe this is because I'm missing the optional-ssl-nginx.conf and ssl-dhparams.pem bits from my nginx config. How do I get certbot to generate these and keep them up to date, without it trying to modify my nginx config or running the nginx binary? (It can't because nginx is inside a docker container). I was hoping to simply include the lines in my nginx config, like:

include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

Is my only option to copy them from the certbot source code (here and here)? They're small files but I worry they'll get stale.

My domain is:

29th.xyz

My web server is (include version):

Technically it's nginx, but it's running in a docker container, so there is no nginx binary on the host machine.

The operating system my web server runs on is (include version):

Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.9.0

2 Likes

I think it's probably better to use something like https://ssl-config.mozilla.org (which informs the choices the Certbot project makes anyway).

The Certbot installer does other things in addition to that configuration file. For example, configuring OCSP Stapling, which it does selectively based on your nginx version.

While it is true that configuration tends to get stale, it's not likely that the configuration will change much, if at all, for a selected version of nginx/OpenSSL. This is especially true since the introduction TLS 1.3, which is much harder to "get wrong".

When you upgrade the software in your containers, you can check whether the SSL configuration needs to be updated as well.

4 Likes

Excellent, thank you. Just to confirm, that dhparam file, which looks like a key, is not a secret, and it's safe to put that into my source control, right?

2 Likes

Yes, you can also generate your own during setup if you want to, but it can take a little while (turns out the recommendation is now to use the predefined RFC7919 groups, i.e. the ffdhe2048 file).

1 Like