I ran this command:
I was changing the options-ssl-apache.conf file. I was modifying the SSLProtocol. I must have broken the SSLCipherSuite because when I try to restart Apache, failed.
Syntax error on line 11 of /etc/letsencrypt/options-ssl-apache.conf: SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (‘XXX:…:XXX’ - see manual)
It produced this output:
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-09-17 20:11:16 UTC; 7s ago
Process: 8546 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: Google Cloud
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): SSH
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot
The actual contents of options-ssl-apache.conf would be helpful. It seems the error should be easily fixed if it actually is an issue with the argument of the parameter.
No. The private key is stored in a subdirectory of /etc/letsencrypt/live/ (symbolic links) or /etc/letsencrypt/archive/. options-ssl-apache.conf should only contain some Apache directives.
This file contains important security parameters. If you modify this file
manually, Certbot will be unable to automatically provide future security
updates. Instead, Certbot will print and log an error message with a path to
the up-to-date file that you will need to refer to when manually updating
this file.
SSLEngine on
Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$
SSLHonorCipherOrder on
SSLCompression off
This file contains important security parameters. If you modify this file
manually, Certbot will be unable to automatically provide future security
updates. Instead, Certbot will print and log an error message with a path to
the up-to-date file that you will need to refer to when manually updating
this file.
SSLEngine on
Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$
SSLHonorCipherOrder on
SSLCompression off
I don’t think you’d want justECDHE as a cipher in your cipher list. I think there has been a copy/paste error previously and it contained a “full” cipher in stead of just ECDHE.
Either way, OP should seriously consider either restoring the original LE configuration file (as a starting point) or generating a recommended configuration from mozilla… or a combination of both.
IMHO Balance Security and Accessibility in that order.
EDIT: It very well could have been a copy paste issue as you pointed out early in the thread… and the E key and $ key are pretty close for “fat fingers”!