4

I am working with Nginx and Certbot, I have secured a domain with HTTPS. I would like to get the domain up to TLS 1.3.

The Nginx server block for my domain get's it's SSL protocols from the included file Certbot creates.

The file /etc/letsencrypt/options-ssl-nginx.conf states that if I modify the file Certbot will be unable to automatically provide security updates.

I want to modify the file's ssl_protocols line by adding TLSv1.3 to the end, but I do not want to break certbot's automatic updates.

Is is possible to tell certbot to enable TLS 1.3?

Software Versions

  • Nginx 1.14.0
  • OpenSSL 1.1.1
  • Certbot 0.31.0
  • Ubuntu 18.04
Norman Potts
  • 41
  • 1
  • 4
  • 4
    I don't use or recommend certbot's nginx plugin. I prefer to do it standalone and write the nginx config (correctly) myself. [Here is a working sample configuration.](https://serverfault.com/a/896555/126632) – Michael Hampton Jun 25 '20 at 16:37
  • Well I added TLSv1.3 to the ssl_protocols line in that file anyway. Ssllabs.com states that TLS 1.3 is enabled. I'm just concerned that i will miss important security updates from certbot. – Norman Potts Jun 25 '20 at 16:38
  • @Michael Hampton are you saying you get the cert with `certbot certonly --webroot` comand, and write the configuration yourself with the example content? Assuming i used `certbot --nginx` command i should be able to rewrite my configuration to match your example right? – Norman Potts Jun 25 '20 at 16:45
  • Yes, you could rewrite the configuration. You'd also want to rewrite the configuration in `/etc/letsencrypt/renewal/whatever.conf`. – Michael Hampton Jun 25 '20 at 16:47
  • Go to https://www.nginxconfig.io Buy someone a coffee for this amazing tip. – suchislife Jun 26 '20 at 21:35

1 Answers1

0

If you install an updated version of Certbot you will have TLS 1.3 enabled by default, Snap is the best way to install Certbot (More instructions here: https://certbot.eff.org/).

#This instructions works for Ubuntu 18.04 and Ubuntu 20.04
#first we need to be sure there is not another certbot installed    
sudo apt-get remove certbot -y < /dev/null
#install Certbot by Snap packaging
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Later run Certbot like you want

sudo certbot --nginx -d yourdomain.com --agree-tos -m youremail@example.com --redirect

Or

sudo certbot certonly --nginx -d yourdomain.com --agree-tos -m youremail@example.com --redirect

Or

sudo certbot certonly --webroot -w /var/www/yourdomain.com/public_html -d yourdomain.com
JorgeM
  • 231
  • 2
  • 6