Nginx – enable TLS 1.3 with Certbot

certbotnginxssl

I am working with Nginx and Certbot, I have secured a domain with HTTPS. I would like to get the domain up to TLS 1.3.

The Nginx server block for my domain get's it's SSL protocols from the included file Certbot creates.

The file /etc/letsencrypt/options-ssl-nginx.conf states that if I modify the file Certbot will be unable to automatically provide security updates.

I want to modify the file's ssl_protocols line by adding TLSv1.3 to the end, but I do not want to break certbot's automatic updates.

Is is possible to tell certbot to enable TLS 1.3?

Software Versions

  • Nginx 1.14.0
  • OpenSSL 1.1.1
  • Certbot 0.31.0
  • Ubuntu 18.04

Best Answer

If you install an updated version of Certbot you will have TLS 1.3 enabled by default, Snap is the best way to install Certbot (More instructions here: https://certbot.eff.org/).

#This instructions works for Ubuntu 18.04 and Ubuntu 20.04
#first we need to be sure there is not another certbot installed    
sudo apt-get remove certbot -y < /dev/null
#install Certbot by Snap packaging
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Later run Certbot like you want

sudo certbot --nginx -d yourdomain.com --agree-tos -m youremail@example.com --redirect

Or

sudo certbot certonly --nginx -d yourdomain.com --agree-tos -m youremail@example.com --redirect

Or

sudo certbot certonly --webroot -w /var/www/yourdomain.com/public_html -d yourdomain.com
Related Topic