From nobody Mon Sep 12 03:51:30 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MQt275qLHz4cGsV for ; Mon, 12 Sep 2022 03:51:43 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MQt2671wdz41rR for ; Mon, 12 Sep 2022 03:51:42 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: by mail-pg1-x534.google.com with SMTP id q9so7075366pgq.6 for ; Sun, 11 Sep 2022 20:51:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=EE80OF6qkmRoEoYczhLcnrgXD15ILIvtCBH5Uq41ofA=; b=Pqb3Ww7X+4hhg4VDUYoYbN5OYrwIvifPJu4QxyD+CxPPGNOOguNw9aauxIzk2DKr4H t1mpzv4V3g2ZpLyf17JMec7sI4jRwCBn33SeHuu+MuK2iZ6HbEPsja6D4zupTewqsQpz veq/8vKYZ1uEw0qEdD8vAMUsCN6a+bagYjCyCu4tQgABSb0TQol/xWJxnrZZ0myCePZp rLU1z7tVsCG3V4/vNmkXDXvICvzAgXzTAcGmiPzn+F8X9vRx2CTR71f2FTkUKjmVTcuW 5wkPGhPZRiVgySVC8AIue+uuACurRFGY1LosnI54cPiBxgUDi5mBGw8KosBEAG45mE2w gjNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=EE80OF6qkmRoEoYczhLcnrgXD15ILIvtCBH5Uq41ofA=; b=1bPiRUtkACcjHDkIzq+1/gRzoeYpHptx4GGRwCfAd1gW+vjtyVUXDSi9BczV1bN3nv u8UuNEUaGzRj+E48p5CHa37ong1Qia2hcOIgTGMYi8zJvpt9AaX9vkAZo6+sUuUopBhJ 6cPqq0rJoIW43fdO6d4FsLIgfefqAhCw78ps4IAJTmMCF6YPuu2Ps96dBfJyClXqC2wo biTg5ht4A6l7oJ9pwYX4YGsKzzajst87BSb10916bW7zF7eWqVJecUlvqBmRq495EyFd JFOCQGOhlWTe3vLGbmrOpXlU6nD4xWe2LNIJ9DuVj8DTmQunJG/pbXDH56rr9VHQenDL qs3w== X-Gm-Message-State: ACgBeo1pGlhx4U0/OAbOjI1OsvTtPktwjZYA0wZBOUgvJXQA6HtZFPYV drtDpBH6ld/8uDF8iPt7xg0AqI1vX0EUdtbzzjaRup0uCMRyOg== X-Google-Smtp-Source: AA6agR6VgFiOtCf2YRUWMFjfdPwSpGmKnbVRLtyXv0YPj4UWrf1AUgBkCtzI0WFMz3iWQAX1aISn3w9aeKcqnDYbc2E= X-Received: by 2002:a63:5a61:0:b0:41b:b021:f916 with SMTP id k33-20020a635a61000000b0041bb021f916mr21103911pgm.387.1662954701500; Sun, 11 Sep 2022 20:51:41 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> In-Reply-To: <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> From: Waitman Gobble Date: Mon, 12 Sep 2022 03:51:30 +0000 Message-ID: Subject: Re: any nginx/letsencrypt experts out there? To: freebsd-questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MQt2671wdz41rR X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=Pqb3Ww7X; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of gobble.wa@gmail.com designates 2607:f8b0:4864:20::534 as permitted sender) smtp.mailfrom=gobble.wa@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::534:from]; FREEMAIL_FROM(0.00)[gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Mon, Sep 12, 2022 at 2:42 AM Ty John wrote: > > That order should be fine. The more specific locations should be listed f= irst which is what you have. The redirect will trigger a new request which = will match the first stanza. > > Anyway, it looks fine to me as long as the certs themselves are right. > I just checked the certs on https://paulbeard.org, https://www.paulbeard.= org and https://cloud.paulbeard.org and they all seem fine to me. > I suspect it might be a browser issue as you mentioned. What happens in s= afari? > > > > > ---- On Mon, 12 Sep 2022 10:53:29 +0930 paul beard = wrote --- > > I am using certbot renew for renewals. > > This is part of the stanza for the www. listener. Not sure why it's first= =E2=80=A6logically I think the bare non-www should be first, and redirect t= o this but I never said I knew what I was doing. At the moment, all is well= at the root level but I seem to have buggered something up with how /wordp= ress is handled. > > server { > > listen 443 ssl http2; > > listen [::]:443 ssl http2; > > ssl_certificate /usr/local/etc/letsencrypt/live/www.paulbeard.org/ful= lchain.pem; # managed by Certbot > > ssl_certificate_key /usr/local/etc/letsencrypt/live/www.paulbeard.org= /privkey.pem; # managed by Certbot > > include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed = by Certbot > > ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by= Certbot > > > add_header X-Clacks-Overhead "GNU Terry Pratchett"; > > > # add Strict-Transport-Security to prevent man in the middle attacks > > add_header Strict-Transport-Security "max-age=3D15552000; includeSubD= omains" always; > > > #server_name www.paulbeard.org paulbeard.org; > > server_name www.paulbeard.org; > > root /usr/local/www/; > > > > This is the complete stanza for the non-www stanza: > > server { > > listen 443 ssl http2; > > listen [::]:443 ssl http2; > > ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullcha= in.pem; # managed by Certbot > > ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/pri= vkey.pem; # managed by Certbot > > include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed = by Certbot > > ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by= Certbot > > > add_header X-Clacks-Overhead "GNU Terry Pratchett"; > > # add Strict-Transport-Security to prevent man in the middle attacks > > add_header Strict-Transport-Security "max-age=3D15552000; includeSubD= omains" always; > > server_name paulbeard.org; > > rewrite ^(.*) https://www.paulbeard.org$1 permanent; > > #return 301 https://$host$request_uri; > > > if ($request ~* http://paulbeard.org) { > > return 301 https://www.paulbeard.org; > > } > > > root /usr/local/www/; > > disable_symlinks off; > > > } > > > and these are the currently non-op wordpress bits. > > location /wordpress { > > try_files $uri /wordpress/index.php$is_args$args; > > index index.php; > > } > > > > location /wordpress/wp-admin/ { > > allow 192.168.0./24; > > deny all; > > try_files $uri /wordpress/wp-admin/index.php; > > index index.php; > > error_page 403 =3D @goaway; > > } > > > > > On Sun, Sep 11, 2022 at 6:12 PM Ty John wrote: > > > > -- > Paul Beard / www.paulbeard.org/ > > > Can you share relevant snippets from your nginx.conf as well as the comma= nd you are using to issue/renew certs? > > How are you verifying after the renewal? It's OK to change to a wildcard = but you won't be able to do an automatic verification such as the http meth= od where letsencrypt checks the /.well-known/foobar on port= 80. Automation works much better by specifying multiple domains on a singl= e cert with the subsequent domains being SANs. > > For example, I use acme.sh. You can use as many -d options as you like an= d they will be added as SANs to a single certificate. > > acme.sh --issue -d www.mydomain.com -d cloud.mydomain.com -w /usr/share/n= ginx/html > > > > > > > > > > ---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard = wrote --- > > Something seems to have gone wrong with a working nginx/letsencrypt insta= llation. I suspect LE has changed some things while this system was running= 11.4 and the update to 12.3 brought those changes to light. > > I have a www and cloud server under a single domain and a certificate for= each. Not sure that's right but I think that's what LE/certbot came up wit= h from reading nginx.conf (ie, it was setup and worked that way but might h= ave always been wrong and I am just now catching up with that). The cloud.d= omain server loads just fine but the www.domain will not. There is addition= al confusion over www vs bare (non-www).domain. Again, that worked before w= some rewriting and whatnot but seems not to work now. Requests for www. ar= e now forced to the non-www listener and all the necessary bits (wordpress,= etc) are in the www. server stanza. > > Also I can get openssl on the command line to work fine so there is a cha= nce it's some goofy Apple Safari mishegas that needs sorting out. > > Is it better just have a single cert for *.domain? That makes more sense = to me, not sure how this other situation came to be. > > > > > > > -- > Paul Beard / www.paulbeard.org/ > > > > > this will likely never happen: if ($request ~* http://paulbeard.org) { return 301 https://www.paulbeard.org; } This request would probably never come over port 443. I'm pretty sure nginx would kick out the request if the request is not TLS. IE: 400 Bad Request The plain HTTP request was sent to HTTPS port I would look at your defaults for port 80 and port 443 if you are ending up with unexpected responses. BTW are we top posting on FreeBSD ml now? I suppose I haven't been paying attention. --=20 Waitman Gobble