diff --git a/certbot-apache/certbot_apache/_internal/configurator.py b/certbot-apache/certbot_apache/_internal/configurator.py
index f7ad9983f..28b160dfc 100644
--- a/certbot-apache/certbot_apache/_internal/configurator.py
+++ b/certbot-apache/certbot_apache/_internal/configurator.py
@@ -125,8 +125,8 @@ class ApacheConfigurator(common.Installer):
         """
         # Disabling TLS session tickets is supported by Apache 2.4.11+ and OpenSSL 1.0.2l+.
         # So for old versions of Apache we pick a configuration without this option.
-        if self.version < (2, 4, 11) or not self.openssl_version or\
-            LooseVersion(self.openssl_version) < LooseVersion('1.0.2l'):
+        if self.version < (2, 4, 11) or not self.openssl_version() or\
+            LooseVersion(self.openssl_version()) < LooseVersion('1.0.2l'):
             return apache_util.find_ssl_apache_conf("old")
         return apache_util.find_ssl_apache_conf("current")
 
@@ -238,7 +238,6 @@ class ApacheConfigurator(common.Installer):
         """Full absolute path to digest of updated SSL configuration file."""
         return os.path.join(self.config.config_dir, constants.UPDATED_MOD_SSL_CONF_DIGEST)
 
-    @property
     def openssl_version(self):
         """Lazily retrieve openssl version"""
         if self._openssl_version:
@@ -248,8 +247,6 @@ class ApacheConfigurator(common.Installer):
             ssl_module_location = self.parser.modules['ssl_module']
         except KeyError:
             return None
-        if not ssl_module_location:
-            return None
         # Step 2. Grep in the .so for openssl version
         try:
             with open(ssl_module_location) as f:
diff --git a/certbot-apache/tests/configurator_test.py b/certbot-apache/tests/configurator_test.py
index 3cda7a771..937dd1464 100644
--- a/certbot-apache/tests/configurator_test.py
+++ b/certbot-apache/tests/configurator_test.py
@@ -1802,10 +1802,38 @@ class InstallSslOptionsConfTest(util.ApacheTest):
             AH02556: "SSLOpenSSLConfCmd %s %s" applied to %s
             OpenSSL 1.0.2g  1 Mar 2016
             """
+        self.config.parser.modules['ssl_module'] = '/fake/path'
         with mock.patch("%s.open" % six.moves.builtins.__name__,
             mock.mock_open(read_data=some_string_contents)) as mock_file:
-            self.config.parser.modules['ssl_module'] = '/fake/path'
-            self.assertEqual(self.config.openssl_version, "1.0.2g")
+            self.assertEqual(self.config.openssl_version(), "1.0.2g")
+
+    def test_current_version(self):
+        self.config.version = (2, 4, 10)
+        self.config._openssl_version = '1.0.2m'
+        self.assertTrue('old' in self.config.pick_apache_config())
+
+        self.config.version = (2, 4, 11)
+        self.config._openssl_version = '1.0.2m'
+        self.assertTrue('current' in self.config.pick_apache_config())
+
+        self.config._openssl_version = '1.0.2a'
+        self.assertTrue('old' in self.config.pick_apache_config())
+
+    def test_openssl_version_errors(self):
+        self.config._openssl_version = '1.0.2a'
+        self.assertEqual(self.config.openssl_version(), '1.0.2a')
+
+        self.config._openssl_version = None
+        self.config.parser.modules['ssl_module'] = "/fake/path"
+        self.assertRaises(errors.PluginError, self.config.openssl_version)
+
+        contents_missing_openssl = "these contents won't match the regex"
+        with mock.patch("%s.open" % six.moves.builtins.__name__,
+            mock.mock_open(read_data=contents_missing_openssl)) as mock_file:
+            with mock.patch("certbot_apache._internal.configurator.logger.warning") as mock_log:
+                # Check that correct logger.warning was printed
+                self.assertEqual(self.config.openssl_version(), None)
+                self.assertTrue("Could not find" in mock_log.call_args[0][0])
 
 
 if __name__ == "__main__":