System Administration & Network Administration
nginx ssl certbot
Updated Wed, 22 Jun 2022 12:29:26 GMT

TLS v1.3 not active despite being enabled in NGINX config (certbot --nginx)


I recently set up a site with certbot --nginx -d <domain>. In /etc/letsencrypt/options-ssl-nginx.conf, I added TLSv1.3 to the ssl_protocols directive. However, when I visit the site (Chrome 68), the security tab shows TLSv1.2. I tested the site with ssllabs.com, which also showed only TLS versions 1.0-1.2 enabled.

I don't see any errors in journalctl -u nginx.service | grep -i tls or grep -i tls /var/log/nginx/*.log.

How could I troubleshoot this issue? I've checked all my config files and all my log files and haven't found the source of (or any information about) the problem.

Software info:

  • certbot 0.23.0
  • nginx version: nginx/1.14.0 (Ubuntu)
  • OpenSSL 1.1.0g 2 Nov 2017
  • Ubuntu 18.04
  • Linux 4.15.0-20-generic x86_64

Site config (generated by certbot): https://hastebin.com/oragojozol.nginx

/etc/letsencrypt/options-ssl-nginx.conf: https://hastebin.com/cepalomisi.nginx




Solution

OpenSSL 1.1.0g 2 Nov 2017

I did not even look at the rest of what you are doing but OpenSSL 1.1.0 simply does not support TLS 1.3 yet. TLS 1.3 is support starting with OpenSSL 1.1.1 only. See Using TLS1.3 With OpenSSL for more information.





Comments (3)

  • +0 – Ah, the one thing I didn't double-check. Thanks very much — May 20, 2018 at 04:15  
  • +0 – I have same issue but I am using latest versions nginx version: nginx/1.15.8 built by gcc 8.2.0 (Alpine 8.2.0) built with OpenSSL 1.1.1a 20 Nov 2018 — Feb 01, 2019 at 13:53  
  • +0 – @simbolo: What you have is obviously a different question which needs a different answer. New questions should be asked as actual questions and not as a comment to an existing question or answer. — Feb 01, 2019 at 14:02