From nobody Mon Sep 12 01:11:58 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MQpTw5SxJz4bx4r for ; Mon, 12 Sep 2022 01:12:04 +0000 (UTC) (envelope-from ty-ml@eye-of-odin.com) Received: from sender4-op-o12.zoho.com (sender4-op-o12.zoho.com [136.143.188.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MQpTv5Jzxz3q5L for ; Mon, 12 Sep 2022 01:12:03 +0000 (UTC) (envelope-from ty-ml@eye-of-odin.com) ARC-Seal: i=1; a=rsa-sha256; t=1662945119; cv=none; d=zohomail.com; s=zohoarc; b=GlU64I1tQBvjShTEVVqNcdxIDYpBHuzzUO4wfA++ApR4NMq7aeUjnI+bbKVelLToUJI+AGvPKM2Af9n4oSALt6QxzCihiNzSD2AHOPDQ0OT0dKbo52Tby903dg20BPtnSkahDYs0xmi+KtYlVGDYXcO/SHRyEycdILTKv4rzN0c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1662945119; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=eJc0SqbFjU/VPT32y7lLRpY2kAG2E947JrV05PlrGF0=; b=JIxFRRw6ZJU7rMWG66TJKot9lVx4Aqgdia5CSEtkFivx7C3yna6to0JKFSMDc7eMDO88k3Ya4dnc04oV9+3HdZMmneDJsee9NVoM0liixJPzdAEcnfl6/zQfnDnk3pfUf/BRi7Q0v7U2qJIse39fJvG4dJHFjfyfYh3sxWiF8CA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=eye-of-odin.com; spf=pass smtp.mailfrom=ty-ml@eye-of-odin.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1662945119; s=zoho; d=eye-of-odin.com; i=ty-ml@eye-of-odin.com; h=Date:Date:From:From:To:To:Cc:Cc:Message-Id:Message-Id:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Reply-To; bh=eJc0SqbFjU/VPT32y7lLRpY2kAG2E947JrV05PlrGF0=; b=V7EnUdq1CGyX9yz57g+YHflnCesXqezvr6UE2fxtt7aUW0M3nDBev3PCpuJZ0Txv LBVHjSeR0YgspYHBAedtdn290WVN4T8RL3YQrFndWI7hOs9TLqPNODAmNV4TWvcd6YE yYFKvpUpVsNcDyqW6rh2pDhn0m+k34g59VYM6lLE= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1662945118399576.4702136708457; Sun, 11 Sep 2022 18:11:58 -0700 (PDT) Date: Mon, 12 Sep 2022 10:41:58 +0930 From: Ty John To: "paul beard" Cc: "freebsd-questions" Message-Id: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> In-Reply-To: References: Subject: Re: any nginx/letsencrypt experts out there? List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_1203926_1598106987.1662945118383" Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Rspamd-Queue-Id: 4MQpTv5Jzxz3q5L X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=eye-of-odin.com header.s=zoho header.b=V7EnUdq1; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none; spf=pass (mx1.freebsd.org: domain of ty-ml@eye-of-odin.com designates 136.143.188.12 as permitted sender) smtp.mailfrom=ty-ml@eye-of-odin.com X-Spamd-Result: default: False [-3.49 / 15.00]; ARC_ALLOW(-1.00)[zohomail.com:s=zohoarc:i=1]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip4:136.143.188.0/24]; R_DKIM_ALLOW(-0.20)[eye-of-odin.com:s=zoho]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; XM_UA_NO_VERSION(0.01)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/24, country:US]; RCVD_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DKIM_TRACE(0.00)[eye-of-odin.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[eye-of-odin.com]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[136.143.188.12:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[136.143.188.12:from]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N ------=_Part_1203926_1598106987.1662945118383 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Can you share relevant snippets from your nginx.conf as well as the command= you are using to issue/renew certs? How are you verifying after the renewal? It's OK to change to a wildcard bu= t you won't be able to do an automatic verification such as the http method= where letsencrypt checks the /.well-known/foobar on port 8= 0. Automation works much better by specifying multiple domains on a single = cert with the subsequent domains being SANs. For example, I use acme.sh. You can use as many -d options as you like and = they will be added as SANs to a single certificate. acme.sh --issue -d http://www.mydomain.com -d cloud.mydomain.com -w /usr/sh= are/nginx/html ---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard wr= ote --- Something seems to have gone wrong with a working nginx/letsencrypt install= ation. I suspect LE has changed some things while this system was running 1= 1.4 and the update to 12.3 brought those changes to light.=C2=A0 I have a www and cloud server=C2=A0under a single domain and a certificate = for each. Not sure that's right but I think that's what LE/certbot came up = with from reading nginx.conf (ie, it was setup and worked that way but migh= t have always been wrong and I am just now catching up with that). The clou= d.domain server loads just fine but the www.domain will not. There is addit= ional confusion=C2=A0over www vs bare (non-www).domain. Again, that worked = before=C2=A0w some rewriting and whatnot but seems not to work now. Request= s=C2=A0for www. are now forced to the non-www listener and all the necessar= y bits (wordpress, etc) are in the www. server stanza.=C2=A0 Also I can get openssl on the command line to work fine so there is a chanc= e it's some goofy Apple Safari mishegas that needs sorting out.=C2=A0 Is it better just have a single cert for *.domain? That makes more sense to= me, not sure how this other situation came to be.=C2=A0 --=20 Paul Beard / http://www.paulbeard.org/ ------=_Part_1203926_1598106987.1662945118383 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
Can you share relevant snippets from your nginx.co= nf as well as the command you are using to issue/renew certs?

How are you verifying after the renewal? It's OK to change = to a wildcard but you won't be able to do an automatic verification such as= the http method where letsencrypt checks the <yourdomain.com>/.well-= known/foobar on port 80. Automation works much better by specifying multipl= e domains on a single cert with the subsequent domains being SANs.

For example, I use acme.sh. You can use as many -d opt= ions as you like and they will be added as SANs to a single certificate.

acme.sh --issue -d www.mydomain.com -d cloud.mydomain.com -w /usr= /share/nginx/html







<= br>

---- On Mon, 12 S= ep 2022 10:27:09 +0930 paul beard <paulbeard@gmail.com> wrote = ---

Something seems to have gone wrong with a working nginx/lets= encrypt installation. I suspect LE has changed some things while this syste= m was running 11.4 and the update to 12.3 brought those changes to light.&n= bsp;

I have a www and cloud server under = a single domain and a certificate for each. Not sure that's right but I thi= nk that's what LE/certbot came up with from reading nginx.conf (ie, it was = setup and worked that way but might have always been wrong and I am just no= w catching up with that). The cloud.domain server loads just fine but the w= ww.domain will not. There is additional confusion over www vs bare (no= n-www).domain. Again, that worked before w some rewriting and whatnot = but seems not to work now. Requests for www. are now forced to the non= -www listener and all the necessary bits (wordpress, etc) are in the www. s= erver stanza. 

Also I can get openssl on = the command line to work fine so there is a chance it's some goofy Apple Sa= fari mishegas that needs sorting out. 

Is= it better just have a single cert for *.domain? That makes more sense to m= e, not sure how this other situation came to be. 





<= br>
--
Paul Beard / www.paulbeard.org/
=

------=_Part_1203926_1598106987.1662945118383--