Date: Mon, 12 Sep 2022 01:52:43 +0000 From: Waitman Gobble <gobble.wa@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAFuo_fyei58PNjdsDXrtPSVu58mdw8_SMguJ5bFO5rko%2BXYMAw@mail.gmail.com> In-Reply-To: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 12, 2022 at 1:12 AM Ty John <ty-ml@eye-of-odin.com> wrote: > > Can you share relevant snippets from your nginx.conf as well as the comma= nd you are using to issue/renew certs? > > How are you verifying after the renewal? It's OK to change to a wildcard = but you won't be able to do an automatic verification such as the http meth= od where letsencrypt checks the <yourdomain.com>/.well-known/foobar on port= 80. Automation works much better by specifying multiple domains on a singl= e cert with the subsequent domains being SANs. > > For example, I use acme.sh. You can use as many -d options as you like an= d they will be added as SANs to a single certificate. > > acme.sh --issue -d www.mydomain.com -d cloud.mydomain.com -w /usr/share/n= ginx/html > > > > > > > > > > ---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard <paulbeard@gmail.com> = wrote --- > > Something seems to have gone wrong with a working nginx/letsencrypt insta= llation. I suspect LE has changed some things while this system was running= 11.4 and the update to 12.3 brought those changes to light. > > I have a www and cloud server under a single domain and a certificate for= each. Not sure that's right but I think that's what LE/certbot came up wit= h from reading nginx.conf (ie, it was setup and worked that way but might h= ave always been wrong and I am just now catching up with that). The cloud.d= omain server loads just fine but the www.domain will not. There is addition= al confusion over www vs bare (non-www).domain. Again, that worked before w= some rewriting and whatnot but seems not to work now. Requests for www. ar= e now forced to the non-www listener and all the necessary bits (wordpress,= etc) are in the www. server stanza. > > Also I can get openssl on the command line to work fine so there is a cha= nce it's some goofy Apple Safari mishegas that needs sorting out. > > Is it better just have a single cert for *.domain? That makes more sense = to me, not sure how this other situation came to be. > > > > > > > -- > Paul Beard / www.paulbeard.org/ > > > It's been a long time since I've used 12, so I'm not sure if certbot usage changed much/any from 12 to 13, but I use certbot --nginx --expand -d domain.tld -d www.domain.tld --=20 Waitman Gobble
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFuo_fyei58PNjdsDXrtPSVu58mdw8_SMguJ5bFO5rko%2BXYMAw>