From nobody Mon Sep 12 01:52:43 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MQqP52q70z4c2WY for ; Mon, 12 Sep 2022 01:52:57 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MQqP443Qjz3sn0 for ; Mon, 12 Sep 2022 01:52:56 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: by mail-pf1-x42d.google.com with SMTP id 65so7236583pfx.0 for ; Sun, 11 Sep 2022 18:52:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=sSCioPsPqCIYXTGzfPHCys22xk2tbZGtgiXdVE2WhQc=; b=pajsAbORziBaBgul2FpO3LAO4qzbMaaEnNV+25L1Bdc4q2CyhCjtaq3Dp8MkCKpH2p BDZ4XwfOVYpWoTY/IJrWAyD6ifldlLX/JXugjoo271Lc2IkrVzCEKjrUYrqGWpuWqcI5 uLYTHD9PjyZNcajji95KXs3PFAODbvYJdzbgIr8xl5HnYPxZaVXSuCLEaRQ8aH2DWiXS vDrYd2gln5nwKIhRK6dStJc/VZkw3L5EmWCCuv19YCkDI0pVk2JVue2JiaML6+2XfnOT c8sbkgomYfoo41+/G1/pWHhEiTOfAZ8jylVahxce5UgVsNfrqqwBpsYa0uJxqPFla8zh FWAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=sSCioPsPqCIYXTGzfPHCys22xk2tbZGtgiXdVE2WhQc=; b=EhetgGH4tUIkZU1oKvwYyaau/Y+2WiKtA4X9mZDWEs81unIp0hIZlt+8j3M0kU0pPR hhDOgACKRv8CLtcX+GavbTLGhpg3Ukhq3l+JuDhhUwfufy/rGpqRbuo6ERT8T21ns2cY durcuFCuAdfzMwzX0dDvGUIIRsSw//dY3lU3but7syInpenczXVzfU7PYVIOhSx+nrUR J3+O0muzGi+j060CizXH4u/IYuujHYpSNW6C9AScgnPr5ApUEFSJKHIhwCo04Py5UrQE E7Lv0/eJZ1Q5nYlu0wYWZtZJfdb3chCFnpDk7LUr0C3d+tWtSCOCiUkGt1q3hMaB3ZsZ WQwQ== X-Gm-Message-State: ACgBeo0UdB5yh3sowbT+Bz83v+L2gBBUE0pcPax0+MdSQjRSHUm6eGbl PxAkB9XktOI1FomdZbhRTH/CvVoc4O/Y1/t/7WBbc8Scq1A= X-Google-Smtp-Source: AA6agR5dZ8ZOdqoclmX9z5JrGa3lfxzEgdNZu9mnya6DeBKRTikiDdX2g6KWBWXJfr/soc1bV/VOphdWw4BEJP3HPOU= X-Received: by 2002:a63:ee55:0:b0:429:88cf:78df with SMTP id n21-20020a63ee55000000b0042988cf78dfmr21171274pgk.301.1662947574782; Sun, 11 Sep 2022 18:52:54 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> In-Reply-To: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> From: Waitman Gobble Date: Mon, 12 Sep 2022 01:52:43 +0000 Message-ID: Subject: Re: any nginx/letsencrypt experts out there? To: freebsd-questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MQqP443Qjz3sn0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=pajsAbOR; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of gobble.wa@gmail.com designates 2607:f8b0:4864:20::42d as permitted sender) smtp.mailfrom=gobble.wa@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::42d:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TAGGED_FROM(0.00)[]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Mon, Sep 12, 2022 at 1:12 AM Ty John wrote: > > Can you share relevant snippets from your nginx.conf as well as the comma= nd you are using to issue/renew certs? > > How are you verifying after the renewal? It's OK to change to a wildcard = but you won't be able to do an automatic verification such as the http meth= od where letsencrypt checks the /.well-known/foobar on port= 80. Automation works much better by specifying multiple domains on a singl= e cert with the subsequent domains being SANs. > > For example, I use acme.sh. You can use as many -d options as you like an= d they will be added as SANs to a single certificate. > > acme.sh --issue -d www.mydomain.com -d cloud.mydomain.com -w /usr/share/n= ginx/html > > > > > > > > > > ---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard = wrote --- > > Something seems to have gone wrong with a working nginx/letsencrypt insta= llation. I suspect LE has changed some things while this system was running= 11.4 and the update to 12.3 brought those changes to light. > > I have a www and cloud server under a single domain and a certificate for= each. Not sure that's right but I think that's what LE/certbot came up wit= h from reading nginx.conf (ie, it was setup and worked that way but might h= ave always been wrong and I am just now catching up with that). The cloud.d= omain server loads just fine but the www.domain will not. There is addition= al confusion over www vs bare (non-www).domain. Again, that worked before w= some rewriting and whatnot but seems not to work now. Requests for www. ar= e now forced to the non-www listener and all the necessary bits (wordpress,= etc) are in the www. server stanza. > > Also I can get openssl on the command line to work fine so there is a cha= nce it's some goofy Apple Safari mishegas that needs sorting out. > > Is it better just have a single cert for *.domain? That makes more sense = to me, not sure how this other situation came to be. > > > > > > > -- > Paul Beard / www.paulbeard.org/ > > > It's been a long time since I've used 12, so I'm not sure if certbot usage changed much/any from 12 to 13, but I use certbot --nginx --expand -d domain.tld -d www.domain.tld --=20 Waitman Gobble