Date: Mon, 12 Sep 2022 13:40:39 +0930 From: Ty John <ty-ml@eye-of-odin.com> To: "Waitman Gobble" <gobble.wa@gmail.com> Cc: "freebsd-questions" <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> In-Reply-To: <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> wrote:=20 > >=20 > > That order should be fine. The more specific locations should be liste= d first which is what you have. The redirect will trigger a new request whi= ch will match the first stanza.=20 > >=20 > > Anyway, it looks fine to me as long as the certs themselves are right.= =20 > > I just checked the certs on https://paulbeard.org, https://www.paulbea= rd.org and https://cloud.paulbeard.org and they all seem fine to me.=20 > > I suspect it might be a browser issue as you mentioned. What happens i= n safari?=20 > >=20 > >=20 > >=20 > >=20 > > ---- On Mon, 12 Sep 2022 10:53:29 +0930 paul beard paulbeard@gmail.com= > wrote ---=20 > >=20 > > I am using certbot renew for renewals.=20 > >=20 > > This is part of the stanza for the www. listener. Not sure why it's fi= rst=E2=80=A6logically I think the bare non-www should be first, and redirec= t to this but I never said I knew what I was doing. At the moment, all is w= ell at the root level but I seem to have buggered something up with how /wo= rdpress is handled.=20 > >=20 > > server {=20 > >=20 > > listen 443 ssl http2;=20 > >=20 > > listen [::]:443 ssl http2;=20 > >=20 > > ssl_certificate /usr/local/etc/letsencrypt/live/www.paulbeard.org/= fullchain.pem; # managed by Certbot=20 > >=20 > > ssl_certificate_key /usr/local/etc/letsencrypt/live/www.paulbeard.= org/privkey.pem; # managed by Certbot=20 > >=20 > > include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # manag= ed by Certbot=20 > >=20 > > ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed= by Certbot=20 > >=20 > >=20 > > add_header X-Clacks-Overhead "GNU Terry Pratchett";=20 > >=20 > >=20 > > # add Strict-Transport-Security to prevent man in the middle attac= ks=20 > >=20 > > add_header Strict-Transport-Security "max-age=3D15552000; includeS= ubDomains" always;=20 > >=20 > >=20 > > #server_name www.paulbeard.org paulbeard.org;=20 > >=20 > > server_name www.paulbeard.org;=20 > >=20 > > root /usr/local/www/;=20 > >=20 > >=20 > >=20 > > This is the complete stanza for the non-www stanza:=20 > >=20 > > server {=20 > >=20 > > listen 443 ssl http2;=20 > >=20 > > listen [::]:443 ssl http2;=20 > >=20 > > ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/full= chain.pem; # managed by Certbot=20 > >=20 > > ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/= privkey.pem; # managed by Certbot=20 > >=20 > > include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # manag= ed by Certbot=20 > >=20 > > ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed= by Certbot=20 > >=20 > >=20 > > add_header X-Clacks-Overhead "GNU Terry Pratchett";=20 > >=20 > > # add Strict-Transport-Security to prevent man in the middle attac= ks=20 > >=20 > > add_header Strict-Transport-Security "max-age=3D15552000; includeS= ubDomains" always;=20 > >=20 > > server_name paulbeard.org;=20 > >=20 > > rewrite ^(.*) https://www.paulbeard.org$1 permanent;=20 > >=20 > > #return 301 https://$host$request_uri;=20 > >=20 > >=20 > > if ($request ~* http://paulbeard.org) {=20 > >=20 > > return 301 https://www.paulbeard.org;=20 > >=20 > > }=20 > >=20 > >=20 > > root /usr/local/www/;=20 > >=20 > > disable_symlinks off;=20 > >=20 > >=20 > > }=20 > >=20 > >=20 > > and these are the currently non-op wordpress bits.=20 > >=20 > > location /wordpress {=20 > >=20 > > try_files $uri /wordpress/index.php$is_args$args;=20 > >=20 > > index index.php;=20 > >=20 > > }=20 > >=20 > >=20 > >=20 > > location /wordpress/wp-admin/ {=20 > >=20 > > allow 192.168.0./24;=20 > >=20 > > deny all;=20 > >=20 > > try_files $uri /wordpress/wp-admin/index.php;=20 > >=20 > > index index.php;=20 > >=20 > > error_page 403 =3D @goaway;=20 > >=20 > > }=20 > >=20 > >=20 > >=20 > >=20 > > On Sun, Sep 11, 2022 at 6:12 PM Ty John ty-ml@eye-of-odin.com> wrote:= =20 > >=20 > >=20 > >=20 > > --=20 > > Paul Beard / www.paulbeard.org/=20 > >=20 > >=20 > > Can you share relevant snippets from your nginx.conf as well as the co= mmand you are using to issue/renew certs?=20 > >=20 > > How are you verifying after the renewal? It's OK to change to a wildca= rd but you won't be able to do an automatic verification such as the http m= ethod where letsencrypt checks the /.well-known/foobar on port 80. Automati= on works much better by specifying multiple domains on a single cert with t= he subsequent domains being SANs.=20 > >=20 > > For example, I use acme.sh. You can use as many -d options as you like= and they will be added as SANs to a single certificate.=20 > >=20 > > acme.sh --issue -d www.mydomain.com -d cloud.mydomain.com -w /usr/shar= e/nginx/html=20 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > > ---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard paulbeard@gmail.com= > wrote ---=20 > >=20 > > Something seems to have gone wrong with a working nginx/letsencrypt in= stallation. I suspect LE has changed some things while this system was runn= ing 11.4 and the update to 12.3 brought those changes to light.=20 > >=20 > > I have a www and cloud server under a single domain and a certificate = for each. Not sure that's right but I think that's what LE/certbot came up = with from reading nginx.conf (ie, it was setup and worked that way but migh= t have always been wrong and I am just now catching up with that). The clou= d.domain server loads just fine but the www.domain will not. There is addit= ional confusion over www vs bare (non-www).domain. Again, that worked befor= e w some rewriting and whatnot but seems not to work now. Requests for www.= are now forced to the non-www listener and all the necessary bits (wordpre= ss, etc) are in the www. server stanza.=20 > >=20 > > Also I can get openssl on the command line to work fine so there is a = chance it's some goofy Apple Safari mishegas that needs sorting out.=20 > >=20 > > Is it better just have a single cert for *.domain? That makes more sen= se to me, not sure how this other situation came to be.=20 > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > > --=20 > > Paul Beard / www.paulbeard.org/=20 > >=20 > >=20 > >=20 > >=20 > >=20 > =20 > =20 > this will likely never happen:=20 > =20 > if ($request ~* http://paulbeard.org) {=20 > =20 > return 301 https://www.paulbeard.org;=20 > }=20 > =20 > This request would probably never come over port 443. I'm pretty sure= =20 > nginx would kick out the request if the request is not TLS.=20 > =20 > IE:=20 > 400 Bad Request=20 > The plain HTTP request was sent to HTTPS port=20 > =20 > =20 > I would look at your defaults for port 80 and port 443 if you are=20 > ending up with unexpected responses.=20 > =20 > BTW are we top posting on FreeBSD ml now? I suppose I haven't been=20 > paying attention.=20 > =20 > =20 > --=20 > Waitman Gobble=20 > =20 >=20 My apologies. I don't contribute to the ML very often and completely forgot= ! Ty
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1832fe45fb5.df336718422020.6612482456577931531>