Let's Encrypt over-rides Apache's SSLCipherSuite

dstiles · October 10, 2019, 5:57pm

This has been mentioned in an earlier posting Let’s Encrypt and SSL Labs weak Cipher Suites but to me was inconclusive.

I have spent some time trying to change Apache’s SSLCipherSuite to exclude some of the weaker ciphers, in part to remove “weak” ciphers from SSLLabs reports. It took me a while to discover that /etc/letsencrypt/options-ssl-apache.conf over-rides Apache’s SSLCipherSuite, since it’s installed in each web site’s VirtualHost, well after SSLCipherSuite has been defined in the Apache “enabled” configs (Apache 2.4.18).

The obvious and immediate solution would be to remove SSLCipherSuite from the letsencrypt config, but a caveat at the top of that file states, “If you modify this file manually, Certbot will be unable to automatically provide future security updates”.

This implies certbot gets its certification from that file. Fair enough. Still a problem for Apache config, though.

Are these inclusions necessary at all, given that the few Apache commands they specify are already defined in either Apache’s ssl.conf and/or security.conf?

Example VirtualHost…

<VirtualHost nnn.nnn.nnn:443>
  (various site setup commands)
  Include	/etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

_az · October 10, 2019, 9:05pm

Certbot doesn't rely on anything in that file. It's there purely as a security enhancement to your server.

If you want to modify it to change or remove the ciphersuites, you can. it won't break anything and Certbot will avoid undoing your changes in future - it is intentionally designed in that way.

schoen · October 10, 2019, 9:57pm

Maybe we should rephrase “future security updates”; as @_az says, it doesn’t refer to certificates, but rather to server configuration changes.

dstiles · October 10, 2019, 10:09pm

So if I comment-out SSLCipherSuite, letsencrypt will renew with no problem?

It seems like the warning should certainly be reworded. It's very misleading.

Thanks for the responses, anyway, guys.

schoen · October 10, 2019, 10:14pm

I created an issue about this at

dstiles · October 10, 2019, 10:18pm

Thanks!

system · November 9, 2019, 10:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What Files does certbot change Server	3	3278	March 14, 2017
Will LetsEncrypt work well on apache with existing certificate? Help	2	1242	March 8, 2017
Do I need: Include /etc/letsencrypt/options-ssl-apache.conf in my apache.conf file Issuance Tech	5	7015	May 10, 2020
Question about Certbot Apache autoconfiguration Help	1	1940	February 11, 2018
Apache with Let's Encrypt weird configuration behavior Help	2	450	April 8, 2020

Let's Encrypt over-rides Apache's SSLCipherSuite

Related topics