Restrict supported ciphers

My domain is: *
I ran this command to generate the cert: ./certbot-auto certonly --manual --preferred-challenges=dns --agree-tos -d * -d
I can login to a root shell on my machine (yes or no, or I don’t know): no
I’m using a control panel to manage my site: No
The version of my client is: certbot 0.28.0

How can we remove the support for below ciphers from our lets encrypt certificate:

  • AES128-SHA (TLSv1.2)
  • AES128-SHA256 (TLSv1.2)
  • AES256-SHA (TLSv1.2)
  • AES256-SHA256 (TLSv1.2)
  • ECDHE-RSA-AES128-SHA (TLSv1.2)
  • ECDHE-RSA-AES128-SHA256 (TLSv1.2)
  • ECDHE-RSA-AES256-SHA (TLSv1.2)
  • ECDHE-RSA-AES256-SHA384 (TLSv1.2)
1 Like

You can't in the way you want, because the cipher suite possibilities is mostly managed by the webserver, not by the certificate. The only difference a certificate can make, is the algorithm for the private key, which will determine the authentication algorithm (e.g., RSA or ECDSA).


Query that with "on apache" or "on nginx" (or whichever web server used) and you can probably find a good "how to" online.


If you’re using Certbot’s Apache or Nginx plugins to configure your web server, newer versions of Certbot use a more modern configuration. What OS are you using? Can you upgrade Certbot?


Hi mnordhoff,

Thanks for your reply.
We are using manual plugin because we need the certificate not on the machine running certbot but on a public load balancer to perform domain validation.

Our machine running certbot is Ubuntu 16.04 Server and we can upgrade Certbot that helps to solve the purpose.


Is the load balancer also the TLS termination point? Or does it forward the TLS connection encrypted to the webservers, which do the TLS termination? It is the machine which will be the TLS endpoint where you should change the TLS cipher suite settings.

1 Like

Added :cake: on :turkey: day!
Happy anniversary @Osiris !

1 Like

In our case TLS connection is getting terminated at Cloudflare Global Load Balancer provided by IBM Cloud. It doesn’t allow the functionality to restrict ciphers.

Then the only way to change the ciphers is to change the TLS termination endpoint. If that isn't possible, it isn't possible to change the ciphers either.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.