Multiple .conf confusion- SSL Labs Grade B help wanted

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: SSL Server Test

It produced this output: This server supports TLS 1.0 and TLS 1.1. Grade capped to B.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 20.10 server

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.17.0

Trying to understand how I can restrict my server to just TLS 1.2 and TLS 1.3. There are multiple files that seem to play a role in SSL configuration, so I'm not sure what needs updated. I have server.conf, options-ssl-nginx.conf, nginx.conf, and ssl-params.conf all of which mention SSL to some degree. nginx -t gave messages duplicate value "TLSv1.3" in /etc/nginx/snippets/ssl-params.conf:1 and "ssl_ciphers" directive is duplicate in /etc/nginx/snippets/ssl-params.conf:2 but commented out what appeared to be duplicate entries. Now nginx -t gives ok and successful but I still get the B from SSL labs.

1 Like

Hi @thelonghop, and welcome to the LE community forum :slight_smile:

Unfortunately, your current issue has nothing to do with this forum.
You are not having an issue with a supported ACME client nor an LE certificate.
[Unless you are talking about another FQDN] is behind Cloudflare CDN.
The certificate seen in use now is from Cloudflare.
The settings to enable/disable TLSv1.0 or 1.1 would only be configurable via Cloudflare control panel.

Addresses: 2606:4700:3031::6815:3ebf

See: SSL Server Test: (Powered by Qualys SSL Labs)


Thank you @rg305 I'll look into that. I thought it might related to a setting in the conf files and figured this place would know best what those settings should be. Thanks again, I'll check over there.


It definitely is - just not likely within your servers' configs.
[I'm not a Cloudflare expert but that is a very big business with many users - your answer must be easy to find]

There are a lot of experts here and many may know an answer to your question, but this is not the right place to look for answers to such a vendor specific question:
How can I disable TLSv1.0 in Cloudflare?
Bing returned:

So they have a community too!


Yeah, I had to do some searching but found the setting to set the minimum TLS level. Thanks for the help. Please delete this thread if you can!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.