This has been mentioned in an earlier posting Let’s Encrypt and SSL Labs weak Cipher Suites but to me was inconclusive.
I have spent some time trying to change Apache’s SSLCipherSuite to exclude some of the weaker ciphers, in part to remove “weak” ciphers from SSLLabs reports. It took me a while to discover that /etc/letsencrypt/options-ssl-apache.conf over-rides Apache’s SSLCipherSuite, since it’s installed in each web site’s VirtualHost, well after SSLCipherSuite has been defined in the Apache “enabled” configs (Apache 2.4.18).
The obvious and immediate solution would be to remove SSLCipherSuite from the letsencrypt config, but a caveat at the top of that file states, “If you modify this file manually, Certbot will be unable to automatically provide future security updates”.
This implies certbot gets its certification from that file. Fair enough. Still a problem for Apache config, though.
Are these inclusions necessary at all, given that the few Apache commands they specify are already defined in either Apache’s ssl.conf and/or security.conf?
<VirtualHost nnn.nnn.nnn:443> (various site setup commands) Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>