How can I edit ssl protocols in options-ssl-nginx.conf Nginx officially

Help
1

Hi,

I’m just wondering how possible to edit the ssl_protocols in official way because the instruction in the option-ssl-nginx.conf says don’t do it manually, but I can’t find any command for this.

Could you please advice?

Thanks!

I ran this command: sudo nano /etc/letsencrypt/options-ssl-nginx.conf

It produced this output:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

Don’t include the file, then add your own config to nginx. That simple.

And check: https://www.ssllabs.com/ssltest/index.html

3

The idea with options-ssl-nginx.conf is, that the certbot developers will decide for you what the most optimal configuration should/could be. As far as I know, mostly the Mozilla recommendations are followed, I think (but I'm not sure?) the intermediate recommendation.

If you don't like that idea, but you do like the automated installation of certificates by certbot (which includes a link to the options-ssl-nginx.conf file), you are allowed to edit the file! Just as the warning says. The only thing is, it isn't updated any longer if the certbot team decides something else is better. However, you decided you know the configuration better than the certbot team anyway, so there's no issue anyway :wink:

4

The ssl_protocols setting was updated last year, but many people are stuck with older versions of Certbot. :grimacing:

(There are multiple files because Certbot will install a different one depending on what your system is compatible with.)

6

no, no, no, no.

if you want the latest version, use certbot-auto