From: nodiscc <nodiscc@gmail.com>
Date: Mon, 18 May 2020 19:07:32 +0000 (+0200)
Subject: apache: fix let's encrypt configuration , copy it directly from reference file
X-Git-Tag: v0.12.0-beta-1~16^2~36
X-Git-Url: https://git.immae.eu/?p=github%2Fshaarli%2FShaarli.git;a=commitdiff_plain;h=c84d1430472bac5c8f437f41b8e845b808acfdd2

apache: fix let's encrypt configuration , copy it directly from reference file
including options-ssl-apache.conf requires python3-certbot-apache which pulls a lot of dependencies
---

diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index b4dfc53d..70ae087a 100644
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -77,7 +77,6 @@ sudo systemctl stop apache2
 sudo systemctl stop nginx
 
 # generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
-# (DNS records must be correctly pointing to  it, firewall/NAT on port 80/443 must be open)
 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
 
@@ -150,7 +149,13 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
     SSLEngine             on
     SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+
+    # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
+    SSLOptions +StrictRequire
 
     # SSL/TLS configuration (for self-signed certificates)
     #SSLEngine             on