and it produced this output: An unexpected error occurred: requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1123)')))
Certbot's behavior differed from what I expected because these directives has been added to the OpenSSL config file (/etc/ssl/openssl.cnf) before:
While I'm not from the LE staff, I'm wondering why TLS 1.3 isn't enabled indeed, as the API endpoints are behind the Cloudflare CDN and Cloudflare has adopted TLS 1.3 already.
Maybe it's as simple as to hit the toggle switch by a Let's Encrypt engineer?
I am curious though: why only TLS 1.3? Wouldn't that hamper your connectivity to other sites beside Let's Encrypt as well? TLS 1.2 should also be safe enough (for now).
I don't know for sure, but I think Let's Encrypt might be terminating TLS themselves, and Cloudflare is only acting as a TCP tunnel.
There's a few tell tales, like the missing Server header and a noticeable handshake delay when connecting from where I live, that doesn't happen when Cloudflare is terminating the connection locally.
This is my personal private DNS server with NGINX reverse proxy (DNS-over-HTTPS). It is important to me that it is strict TLS 1.3. Everything is already working fine, except for the function of issuing and renewing an SSL certificate through Certbot.
I like your suggestion to use Cloudflare for LE endpoint. This is the fastest and easiest way for LE engineers to solve all such problems at once. Thank you so much!
RootCAs: rootCAs,
ClientCAs: rootCAs,
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{cert},
// Set the only acceptable TLS version to 1.2 and the only acceptable cipher suite
// to ECDHE-RSA-CHACHA20-POLY1305.
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
}, nil