4

I am working with Nginx and Certbot, I have secured a domain with HTTPS. I would like to get the domain up to TLS 1.3.

The Nginx server block for my domain get's it's SSL protocols from the included file Certbot creates.

The file /etc/letsencrypt/options-ssl-nginx.conf states that if I modify the file Certbot will be unable to automatically provide security updates.

I want to modify the file's ssl_protocols line by adding TLSv1.3 to the end, but I do not want to break certbot's automatic updates.

Is is possible to tell certbot to enable TLS 1.3?

Software Versions

  • Nginx 1.14.0
  • OpenSSL 1.1.1
  • Certbot 0.31.0
  • Ubuntu 18.04
Norman Potts
  • 41
  • 1
  • 5

2 Answers2

0

If you install an updated version of Certbot you will have TLS 1.3 enabled by default, Snap is the best way to install Certbot (More instructions here: https://certbot.eff.org/).

#This instructions works for Ubuntu 18.04 and Ubuntu 20.04
#first we need to be sure there is not another certbot installed    
sudo apt-get remove certbot -y < /dev/null
#install Certbot by Snap packaging
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Later run Certbot like you want

sudo certbot --nginx -d yourdomain.com --agree-tos -m youremail@example.com --redirect

Or

sudo certbot certonly --nginx -d yourdomain.com --agree-tos -m youremail@example.com --redirect

Or

sudo certbot certonly --webroot -w /var/www/yourdomain.com/public_html -d yourdomain.com
JorgeM
  • 269
0

Nginx/ Ubuntu doesn't support TLSv1.3 on SSL Libary level. So you would need to rebuild the whole ssl stack and compile everything from source Ubuntu 18.04 ships with OpenSSL 1.1.0. Replacing the system OpenSSL library isn’t a good idea, but you can download OpenSSL 1.1.1 source code and compile Nginx with OpenSSL 1.1.1 source code to enable TLS 1.3.

https://github.com/certbot/certbot/issues/6367#issuecomment-601937964 Certbot supports tls1.3 when nginx and openssl support it with the most recent version

Turdie
  • 2,945