在为使用 nginx 提供网站服务的服务器设置 letsencrypt 后,它会在我的域的配置文件中创建以下几行:
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
由于一些旧版 Android 应用,我的一个网站需要 TLSv1。但 letsencrypt 指定的默认配置没有它。
然后我注释掉include
上面的行,复制文件中的内容options-ssl-nginx.conf
并修改ssl_protocols
为包含 TLSv1。
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
但是,重新启动/重新加载 nginx 后,服务器会忽略我上面所做的更改,并且继续不支持 TLSv1。
如果我编辑options-ssl-nginx.conf
文件以包含 TLSv1,它就会起作用。但所有其他网站都会受到影响,我只想将它应用于 1 个网站。每当 SSL 证书自动更新时,此文件中的更改也会被删除。