Messed up the options-ssl-apache.conf file

charveyjr · September 17, 2020, 8:33pm

I ran this command:
I was changing the options-ssl-apache.conf file. I was modifying the SSLProtocol. I must have broken the SSLCipherSuite because when I try to restart Apache, failed.

Syntax error on line 11 of /etc/letsencrypt/options-ssl-apache.conf:
SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (‘XXX:…:XXX’ - see manual)

It produced this output:
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-09-17 20:11:16 UTC; 7s ago
Process: 8546 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot

Osiris · September 17, 2020, 8:56pm

The actual contents of options-ssl-apache.conf would be helpful. It seems the error should be easily fixed if it actually is an issue with the argument of the parameter.

charveyjr · September 17, 2020, 9:15pm

Is my SSL key part of the file?

Osiris · September 17, 2020, 9:18pm

No. The private key is stored in a subdirectory of /etc/letsencrypt/live/ (symbolic links) or /etc/letsencrypt/archive/. options-ssl-apache.conf should only contain some Apache directives.

charveyjr · September 17, 2020, 9:19pm

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$
SSLHonorCipherOrder on
SSLCompression off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

Always ensure Cookies have “Secure” set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) “$1; Secure$3$4”

Osiris · September 17, 2020, 9:22pm

Is that actually part of the file? Or perhaps a copy/paste issue?

charveyjr · September 17, 2020, 9:42pm

I will try again but I think this is all I have:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$
SSLHonorCipherOrder on
SSLCompression off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

Always ensure Cookies have “Secure” set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) “$1; Secure$3$4”

(Attachment options conf screen shot.docx is missing)

Rip · September 17, 2020, 9:51pm

Should Be

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE

schoen · September 18, 2020, 1:39am

Maybe you were typing this in by hand and pressed shift-4 instead of shift-E!?

The dollar sign definitely doesn’t belong in that list.

charveyjr · September 18, 2020, 11:20am

Thank you so much for your help! The dollar sign fixed the problem.

Osiris · September 18, 2020, 4:26pm

I don’t think you’d want just ECDHE as a cipher in your cipher list. I think there has been a copy/paste error previously and it contained a “full” cipher in stead of just ECDHE.

Rip · September 18, 2020, 5:38pm

@Osiris, I agree there seems to be an excessively limited “menu” of ciphers in @charveyjr’s posted configuration.

As I recall someone, maybe @_az, shared a link to Mozilla’s SSL Configuration Generator or maybe it was to the original /etc/letsencrypt/options-ssl-apache.conf

Either way, OP should seriously consider either restoring the original LE configuration file (as a starting point) or generating a recommended configuration from mozilla… or a combination of both.

IMHO Balance Security and Accessibility in that order.
EDIT: It very well could have been a copy paste issue as you pointed out early in the thread… and the E key and $ key are pretty close for “fat fingers”!

system · October 18, 2020, 5:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.