From nobody Mon Sep 12 00:57:09 2022
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MQp8y6xZ2z4bvK2
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Mon, 12 Sep 2022 00:57:22 +0000 (UTC)
	(envelope-from paulbeard@gmail.com)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MQp8x53ntz3nSx
	for <freebsd-questions@freebsd.org>; Mon, 12 Sep 2022 00:57:21 +0000 (UTC)
	(envelope-from paulbeard@gmail.com)
Received: by mail-vs1-xe2d.google.com with SMTP id c3so7426950vsc.6
        for <freebsd-questions@freebsd.org>; Sun, 11 Sep 2022 17:57:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date;
        bh=PX4iXJG2zIz/IvSxfIl5d8i5I7gAKrLnwddNh06SK2A=;
        b=LKlsUz4k4DF0VHXV83BGD7qLxuZs4wzumyCB+9PvVVKzb2oNnB2Ai5igVzhNTb55Tt
         kFz2dLlQ9DBZbtxNmjs/JXX6J3MfnOS8yCtrIT0lc9l8UzEl+dD35vrz0U7yv0A/VUGY
         xDfSsOCrcOeH+rWHp5vL5PenXiaXARItBvwZBeeLpLlzVlFPtbL6cDODdRkPpXqQmVqv
         jh00I/48MFl0sPmkFI/wQp6akhBtuBi0tpouptHQCKTSyxCmPKSSv7kZ5wfGyzWNTWFW
         gizsO14ItGGHCjjJMUshryB6zpGYeBRXFwlZo+Mwc8zrrx6IjLoRWg+wJ4L9YSC9T70e
         G7tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date;
        bh=PX4iXJG2zIz/IvSxfIl5d8i5I7gAKrLnwddNh06SK2A=;
        b=zGxt2l0pbduiEvurYUdiAhlH08EWj67Aj6VnzTw++kPo4nwgBy135Ai4yDalCuoEEc
         +xLHG/Rp6Xv8IZlswvUO79bhv6Razis4gXYEhzTkmkfmNKC0m8obNi/gO3qSHANE0fPq
         F+yANd+qRdmsdSESdei0D88dLKKgKlZbF/H3091fpTJq+SKigR9NxMEj+x/B/7OoIjIY
         4/Toq2OOJe1OIg/DIWLS2GaerbP+NWgTMKkbdYoK1f0ZL0lQWGt5hWDgl2Yr7vRgjgyt
         tusHBASbjAyAJyz44YPaUb/6xPAkqJl6fOTHS1SYuE0jxpavonHr7xPogrJVd4vDq+NS
         wC6w==
X-Gm-Message-State: ACgBeo2JTPfStZeMW6GaBRSHfjbmMv4QYo3J1me064WZdKGG5ovcYGrP
	pz8btnwtewxTVypUjMbzfb/IisWZtNtycnWu9pJHihFh
X-Google-Smtp-Source: AA6agR5zroJ/K2YXoUceFdOfsniAeTrpdFtNbUBKODyQawoKtb5v7Jx7FuPsbJs3A5GmS8ufk4ANRUSlab+c2HM4tyg=
X-Received: by 2002:a67:f6d5:0:b0:398:3cdb:3f99 with SMTP id
 v21-20020a67f6d5000000b003983cdb3f99mr5800985vso.85.1662944240604; Sun, 11
 Sep 2022 17:57:20 -0700 (PDT)
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
From: paul beard <paulbeard@gmail.com>
Date: Sun, 11 Sep 2022 17:57:09 -0700
Message-ID: <CAMtcK2reN+DGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ+5xHqgOsg@mail.gmail.com>
Subject: any nginx/letsencrypt experts out there?
To: FreeBSD-questions <freebsd-questions@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000be193e05e8706098"
X-Rspamd-Queue-Id: 4MQp8x53ntz3nSx
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=LKlsUz4k;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of paulbeard@gmail.com designates 2607:f8b0:4864:20::e2d as permitted sender) smtp.mailfrom=paulbeard@gmail.com
X-Spamd-Result: default: False [-2.99 / 15.00];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.992];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2d:from];
	ARC_NA(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	DKIM_TRACE(0.00)[gmail.com:+];
	TO_DN_ALL(0.00)[];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_TLS_LAST(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

--000000000000be193e05e8706098
Content-Type: text/plain; charset="UTF-8"

Something seems to have gone wrong with a working nginx/letsencrypt
installation. I suspect LE has changed some things while this system was
running 11.4 and the update to 12.3 brought those changes to light.

I have a www and cloud server under a single domain and a certificate for
each. Not sure that's right but I think that's what LE/certbot came up with
from reading nginx.conf (ie, it was setup and worked that way but might
have always been wrong and I am just now catching up with that). The
cloud.domain server loads just fine but the www.domain will not. There is
additional confusion over www vs bare (non-www).domain. Again, that worked
before w some rewriting and whatnot but seems not to work now. Requests for
www. are now forced to the non-www listener and all the necessary bits
(wordpress, etc) are in the www. server stanza.

Also I can get openssl on the command line to work fine so there is a
chance it's some goofy Apple Safari mishegas that needs sorting out.

Is it better just have a single cert for *.domain? That makes more sense to
me, not sure how this other situation came to be.






-- 
Paul Beard / www.paulbeard.org/

--000000000000be193e05e8706098
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Something seems to have gone wrong with a working nginx/le=
tsencrypt installation. I suspect LE has changed some things while this sys=
tem was running 11.4 and the update to 12.3 brought those changes to light.=
=C2=A0<div><br></div><div>I have a www and cloud server=C2=A0under a single=
 domain and a certificate for each. Not sure that&#39;s right but I think t=
hat&#39;s what LE/certbot came up with from reading nginx.conf (ie, it was =
setup and worked that way but might have always been wrong and I am just no=
w catching up with that). The cloud.domain server loads just fine but the w=
ww.domain will not. There is additional confusion=C2=A0over www vs bare (no=
n-www).domain. Again, that worked before=C2=A0w some rewriting and whatnot =
but seems not to work now. Requests=C2=A0for www. are now forced to the non=
-www listener and all the necessary bits (wordpress, etc) are in the www. s=
erver stanza.=C2=A0</div><div><br></div><div>Also I can get openssl on the =
command line to work fine so there is a chance it&#39;s some goofy Apple Sa=
fari mishegas that needs sorting out.=C2=A0</div><div><br></div><div>Is it =
better just have a single cert for *.domain? That makes more sense to me, n=
ot sure how this other situation came to be.=C2=A0</div><div><br></div><div=
><br></div><div><br></div><div><br></div><div><br clear=3D"all"><div><br></=
div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gma=
il_signature">Paul Beard / <a href=3D"http://www.paulbeard.org/" target=3D"=
_blank">www.paulbeard.org/</a><br></div></div></div>

--000000000000be193e05e8706098--