The options-ssl-nginx.conf file found in /etc/letsencrypt has a comment at the top that says: "This file contains important security parameters. If you modify this file manually, Certbot will be unable to automatically provide future security updates."
The nginx settings that are included in this file are:
ssl_session_cache
ssl_session_timeout
ssl_session_tickets off
ssl_protocols
ssl_prefer_server_ciphers
ssl_ciphers
I like having LE manage security by automatically removing weak protocols and ciphers, but I want to specify different values for some of the parameters that are included in options-ssl-nginx.conf. I tried creating my own config file and including it in the nginx server block after the options-ssl-nginx.conf include statement (so that I didn't have to touch the options-ssl-nginx.conf file), but nginx -t generates an error for the parameters that are the same in both files. I would like to see LE only manage the following items in options-ssl-nginx.conf so that LE can handle security automatically but I can manage the other settings:
@griffin This is a nginx issue, not a certbot issue. I'm sure we shouldn't bother the certbot devs with non-certbot-related questions, especially when we can ask for more details first too.
For example, I would like to see the exact error presented by nginx and the actual lines of nginx config typed by @tonoloway_le
While the nginx test command generates the error, I would not say that this is an "nginx issue". My take is that the nginx settings currently included in etc/letsencrypt/options-ssl-nginx.conf are too broad and include items not related to security but rather performance. I think the nginx settings in this file should be limited to items having to do with security since that's what the comment at the top of the file references. Alternatively, if LE wants to keep the same nginx settings in this file, then perhaps LE should only update the two settings I mentioned and, accordingly, state more specifically in the message at the top that these two cannot be maintained automatically by LE if they are changed. This latter option would allow me to place my desired settings in the options-ssl-nginx.conf file.
No, ssl.conf in /etc/nginx/snippets is not created by nginx, it is the config file created by me. I have included it in the vhost file AFTER /etc/letsencrypt/options-ssl-nginx.conf so that, hopefully, any settings in it that duplicate settings in options-ssl-nginx.conf would override the same settings in the automatically maintained /etc/letsencrypt/options-ssl-nginx.conf file.
