Messed up the options-ssl-apache.conf file

My domain is: www.kingkaotix.com

I ran this command:
I was changing the options-ssl-apache.conf file. I was modifying the SSLProtocol. I must have broken the SSLCipherSuite because when I try to restart Apache, failed.

Syntax error on line 11 of /etc/letsencrypt/options-ssl-apache.conf:
SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (‘XXX:…:XXX’ - see manual)

It produced this output:
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-09-17 20:11:16 UTC; 7s ago
Process: 8546 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot

1 Like

The actual contents of options-ssl-apache.conf would be helpful. It seems the error should be easily fixed if it actually is an issue with the argument of the parameter.

1 Like

Is my SSL key part of the file?

No. The private key is stored in a subdirectory of /etc/letsencrypt/live/ (symbolic links) or /etc/letsencrypt/archive/. options-ssl-apache.conf should only contain some Apache directives.

1 Like

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$
SSLHonorCipherOrder on
SSLCompression off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

Always ensure Cookies have “Secure” set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) “$1; Secure$3$4”

Is that actually part of the file? Or perhaps a copy/paste issue?

1 Like

I will try again but I think this is all I have:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$
SSLHonorCipherOrder on
SSLCompression off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

Always ensure Cookies have “Secure” set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) “$1; Secure$3$4”

(Attachment options conf screen shot.docx is missing)

Should Be

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE
2 Likes

Maybe you were typing this in by hand and pressed shift-4 instead of shift-E!?

The dollar sign definitely doesn’t belong in that list. :slight_smile:

1 Like

Thank you so much for your help! The dollar sign fixed the problem.

1 Like

I don’t think you’d want just ECDHE as a cipher in your cipher list. I think there has been a copy/paste error previously and it contained a “full” cipher in stead of just ECDHE.

@Osiris, I agree there seems to be an excessively limited “menu” of ciphers in @charveyjr’s posted configuration.

As I recall someone, maybe @_az, shared a link to Mozilla’s SSL Configuration Generator or maybe it was to the original /etc/letsencrypt/options-ssl-apache.conf

Either way, OP should seriously consider either restoring the original LE configuration file (as a starting point) or generating a recommended configuration from mozilla… or a combination of both.

IMHO Balance Security and Accessibility in that order.
EDIT: It very well could have been a copy paste issue as you pointed out early in the thread… and the E key and $ key are pretty close for “fat fingers”!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.