Missing file: /etc/letsencrypt/options-ssl-nginx.conf

[svenjacobs]

Before I found your image I tried to implement nginx + certbot following this guide. The author recommends including the file /etc/letsencrypt/options-ssl-nginx.conf because

The folks at Let’s Encrypt maintain best-practice HTTPS configurations for nginx.

However when I add include /etc/letsencrypt/options-ssl-nginx.conf; to my server config file in user_conf.d I get the error

docker_nginx_1        | Starting the Nginx service
docker_nginx_1        | Starting the autorenewal service
docker_nginx_1        | 2022/02/10 12:16:23 [emerg] 92#92: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/server.conf:11
docker_nginx_1        | nginx: [emerg] open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/server.conf:11

So apparently that file is not provided nor created by certbot?

[JonasAlfredsson]

Hmm, I have not come across that file before and running find / -name *-ssl-* inside a clean container yields no results.
However, you can find multiple versions of if in their repository: https://github.com/certbot/certbot/tree/master/certbot-nginx/certbot_nginx/_internal/tls_configs

I would probably add this manually, and then make sure you load this before any of your other configuration files

[svenjacobs]

Hi Jonas, thanks for the quick feedback. When searching for options-ssl-nginx.conf I find a lot of sites / tutorials mentioning that file. However I'm also not sure where the file is coming from or why it's not created. Maybe it's a command line option to certbot? It would be nice if your image creates / provides this file.

Quoting StackOverflow:

So this file normally gets created during the certificate installation (or issuing and installation)

[JonasAlfredsson]

I do not see this file at all after installing certbot via pip, so perhaps it is not included there and no obvious indications to additional installation parameters.
The file is also not created after issuing a certificate, but that would not have been a good solution since we would need this file at Nginx startup either way.

People have asked about including additional configuration files before, but I would like to keep this image as close to the parent Nginx image as possible (with the exception of automatic certificate generation). So I do not think it is up to us to provide it to all users, but instead let everyone include whatever they like by themselves.

If it were me that wanted to add this configuration I would want it prominently displayed in my conf.d/ folder so I know exactly what configuration is currently running on my setup. So I would actually like to suggest you do the same, and name it in such a way that it loads before any of your sever declarations.

Furthermore, that config could perhaps be made even more strict:

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;

[svenjacobs]

I understand your points. I was hoping that certbot regularly updates this file with recommended settings but then again this might be not a good idea since the behaviour of nginx might suddenly change or even stop working. So yes, let's keep it as it is. I will close this issue.