Remove TLSv1.0 from certbot version in ngnix in macos

  • TLSv1.0 is defined in my ngnix /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
  • Now I do not want to use the TLSv1.0! What can I do to make this change?

My web server is (include version): nginx/1.15.6

The operating system my web server runs on is (include version): macos

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.1

2 Likes

If you read the entire first paragraph, you will see that it isn't totally catastrophic to edit that file.
It isn't recommended but you seem to be forced into doing so.
What is the downside?
Well you would have to pay attention to the log file error messages on each renewal after certbot has been updated.
But judging form the certbot version running ("0.27.1"), that doesn't seem to happen all that often.
[and is already a bit behind the times - perhaps the newer version of cerbot will install a file that has TLSv1.0 (&1.1) already disabled]

To get you where you want to be, just edit and change:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
TO:
ssl_protocols TLSv1.2;

OR

Upgrade certbot and see what the newest version brings [recommended]

3 Likes

Thank you!

Any documentation/steps/commands to upgrade certbot?

Also, if I go on the with the first option.. what would I have to do specifically after every upgrade?

2 Likes

You could simply check the contents of the up-to-date file.
As described in the error message in the logs:

OR

Just search the entire directory for that setting with:
grep -Ri ssl_protocols /etc/letsencrypt/

3 Likes

Thanks... I appreciate your help!
Also, what about the certbot upgrade? how can I do that?

1 Like

There may be instructions at

that are applicable to your operating system and could help you get a newer version.

3 Likes

Yes I have seen this.. but I want to make an upgrade not install a new one. The doc gives steps for the new installation of certbot and I dont need that.

1 Like

The how-to makes use of Homebrew, so you could find generic information about updating packages on the Homebrew site: FAQ — Homebrew Documentation

Even in the current "old" configuration file, only TLSv1.2 is used:

(v1.11.0 is the current Homebrew stable version.)

3 Likes

I changed my file to use this certbot old conf .. but after running ssl labs test I still see that tlsv1.0 is running? Do I need to run any specific commands once I edit the file so it updates the tls?

1 Like

Have you restarted your server? A restart will use your conf file and should only use TLSv1.2.

3 Likes

To execute @JimPas's excellent suggestion:

sudo nginx -s reload

3 Likes

Certbot has a post-renewal hook you can use. Just create a script that uses “sed” to change the config line, then restart nginx. Call that script using the hook.

sed -i ‘’ ‘s|ssl_protocols TLSv1 TLSv1.1 TLSv1.2;|ssl_protocols TLSv1.2;|g’ <path/to/config>
systemctl restart nginx.service
4 Likes

@Ruaphoc your solution, although technically correct, seems to require a certain level of expertise - that might not be suitable for the average "novice" that comes here looking for help.

In other words, if they are fully capable of even understanding that command, then they have probably already resolved this type of problem [in one of many ways].

[Don't get me wrong, I like the answer and I "liked" your post...]

3 Likes

That's no different than just editing the file once manually. Because after running the sed command once, certbot will ignore the file if it gets updated in upstream, because it isn't the same any longer compared to the original. It doesn't matter if it was vim, nano or sed who did the editing.

2 Likes