I recently set up a site with certbot --nginx -d <domain>. In /etc/letsencrypt/options-ssl-nginx.conf, I added TLSv1.3 to the ssl_protocols directive. However, when I visit the site (Chrome 68), the security tab shows TLSv1.2. I tested the site with ssllabs.com, which also showed only TLS versions 1.0-1.2 enabled.
I don't see any errors in journalctl -u nginx.service | grep -i tls or grep -i tls /var/log/nginx/*.log.
How could I troubleshoot this issue? I've checked all my config files and all my log files and haven't found the source of (or any information about) the problem.
Software info:
- certbot 0.23.0
- nginx version: nginx/1.14.0 (Ubuntu)
- OpenSSL 1.1.0g 2 Nov 2017
- Ubuntu 18.04
- Linux 4.15.0-20-generic x86_64
Site config (generated by certbot): https://hastebin.com/oragojozol.nginx
/etc/letsencrypt/options-ssl-nginx.conf: https://hastebin.com/cepalomisi.nginx
Best Answer
I did not even look at the rest of what you are doing but OpenSSL 1.1.0 simply does not support TLS 1.3 yet. TLS 1.3 is support starting with OpenSSL 1.1.1 only. See Using TLS1.3 With OpenSSL for more information.