Let's Encrypt over-rides Apache's SSLCipherSuite

This has been mentioned in an earlier posting Let’s Encrypt and SSL Labs weak Cipher Suites but to me was inconclusive.

I have spent some time trying to change Apache’s SSLCipherSuite to exclude some of the weaker ciphers, in part to remove “weak” ciphers from SSLLabs reports. It took me a while to discover that /etc/letsencrypt/options-ssl-apache.conf over-rides Apache’s SSLCipherSuite, since it’s installed in each web site’s VirtualHost, well after SSLCipherSuite has been defined in the Apache “enabled” configs (Apache 2.4.18).

The obvious and immediate solution would be to remove SSLCipherSuite from the letsencrypt config, but a caveat at the top of that file states, “If you modify this file manually, Certbot will be unable to automatically provide future security updates”.

This implies certbot gets its certification from that file. Fair enough. Still a problem for Apache config, though.

Are these inclusions necessary at all, given that the few Apache commands they specify are already defined in either Apache’s ssl.conf and/or security.conf?

Example VirtualHost…

<VirtualHost nnn.nnn.nnn:443>
  (various site setup commands)
  Include	/etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Certbot doesn’t rely on anything in that file. It’s there purely as a security enhancement to your server.

If you want to modify it to change or remove the ciphersuites, you can. it won’t break anything and Certbot will avoid undoing your changes in future - it is intentionally designed in that way.

1 Like

Maybe we should rephrase “future security updates”; as @_az says, it doesn’t refer to certificates, but rather to server configuration changes.

1 Like

So if I comment-out SSLCipherSuite, letsencrypt will renew with no problem?

It seems like the warning should certainly be reworded. It’s very misleading.

Thanks for the responses, anyway, guys.

1 Like

I created an issue about this at

1 Like

Thanks! :slight_smile:

1 Like