More limited options-ssl-nginx.conf file

The options-ssl-nginx.conf file found in /etc/letsencrypt has a comment at the top that says: "This file contains important security parameters. If you modify this file manually, Certbot will be unable to automatically provide future security updates."

The nginx settings that are included in this file are:

  • ssl_session_cache
  • ssl_session_timeout
  • ssl_session_tickets off
  • ssl_protocols
  • ssl_prefer_server_ciphers
  • ssl_ciphers

I like having LE manage security by automatically removing weak protocols and ciphers, but I want to specify different values for some of the parameters that are included in options-ssl-nginx.conf. I tried creating my own config file and including it in the nginx server block after the options-ssl-nginx.conf include statement (so that I didn't have to touch the options-ssl-nginx.conf file), but nginx -t generates an error for the parameters that are the same in both files. I would like to see LE only manage the following items in options-ssl-nginx.conf so that LE can handle security automatically but I can manage the other settings:

  • ssl_protocols
  • ssl_ciphers

Welcome to the Let's Encrypt Community :slightly_smiling_face:


Any thoughts here?

1 Like

@griffin This is a nginx issue, not a certbot issue. I'm sure we shouldn't bother the certbot devs with non-certbot-related questions, especially when we can ask for more details first too.

For example, I would like to see the exact error presented by nginx and the actual lines of nginx config typed by @tonoloway_le

1 Like

While the nginx test command generates the error, I would not say that this is an "nginx issue". My take is that the nginx settings currently included in etc/letsencrypt/options-ssl-nginx.conf are too broad and include items not related to security but rather performance. I think the nginx settings in this file should be limited to items having to do with security since that's what the comment at the top of the file references. Alternatively, if LE wants to keep the same nginx settings in this file, then perhaps LE should only update the two settings I mentioned and, accordingly, state more specifically in the message at the top that these two cannot be maintained automatically by LE if they are changed. This latter option would allow me to place my desired settings in the options-ssl-nginx.conf file.

To be clear, the ssl.conf was fully, 200 % out of the box from your nginx package? Nothing manually added?

No, ssl.conf in /etc/nginx/snippets is not created by nginx, it is the config file created by me. I have included it in the vhost file AFTER /etc/letsencrypt/options-ssl-nginx.conf so that, hopefully, any settings in it that duplicate settings in options-ssl-nginx.conf would override the same settings in the automatically maintained /etc/letsencrypt/options-ssl-nginx.conf file.

Ah, OK..

Strangely enough, the nginx documentation about ssl_session_timeout does not mention anything about the fact it can only be declared once in a certain scope.

Not sure how this can be "fixed".

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.