From nobody Mon Sep 12 14:00:25 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MR7Xk1ZGWz4cZsm for ; Mon, 12 Sep 2022 14:00:38 +0000 (UTC) (envelope-from paulbeard@gmail.com) Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MR7Xj44Rkz3tpV for ; Mon, 12 Sep 2022 14:00:37 +0000 (UTC) (envelope-from paulbeard@gmail.com) Received: by mail-vs1-xe2a.google.com with SMTP id j7so3688892vsr.13 for ; Mon, 12 Sep 2022 07:00:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=uYubEsP0WJd+J5B5NQMYnCoqokXhvwUKkBV4WJE5lfg=; b=RlUi+NaxHFnds0YmHE5swdeJ6JK0RP5ScgsvllPvfIDkbbi6KrR8lKTtVEaQN2nJ5M VKq93hZYZe3DeGdOZx3kqgsMOd8a745bIRHZBwNS1Bq4VCU5lOXA4NAfH10jdRsEm/DR ugtGa/uDBgETXR8ii5nMOh+RURunpGWzxgxGO2f5NYmKNO7A65JVq5IAqeapw1aoOi21 LRr15iC+B6oS72bNTu3WNCFQfdA/cWtEmj3OGN7Tk1wREeZxTobqAvjX7VUUeBqcZIKG e+7fgrljBT7l94IcYMkCTdS2D1bOQrHj6K3iFeqA/3m0Kc8xPVMyjVMgiJUR4Ho3jBhB OzKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=uYubEsP0WJd+J5B5NQMYnCoqokXhvwUKkBV4WJE5lfg=; b=17ZYuFDYTHGFhOPsSBwBV+0yd5FcybHHJZL61KHlaQj9GRgWawjj6xc/0YPw/znGP8 FIX8HTYgpI5sAWmMTsqKfArUddJbbYfQ7HTVzJf3PPTCl4Kg6DDSv5wIKr98EMFeeRLC qBAVYdgs/AL0IfmwDQX/r28/FtuMURC3vXpppjS2nHEJ1eFIVng9ZSi5UyhH9FuQkj8n E2oiSqviSPbhp8+2hvt/yV+Rv2Q6rmGpvystaVhav8ZV+9UUk80fnsipM/mmDmf15iLc 27JabW+FcJy9mZHdyWO0OQqNNh51upCZW1DLkJmbvtSl2rDiKUhPCuIyG2Kpd2vcBEfB Wirg== X-Gm-Message-State: ACgBeo1K+XmZPS539EZ7cv4nzCd7f/gEtVgIVqPPuHxlUdP0bkR0+G7B J6WGkEqzVn0o8uJ1CIjGuVocDKYHlbQx6hXixjWdUSfign8= X-Google-Smtp-Source: AA6agR5YYzFIymPsytrg60KLr4NZb0ZiZ/GDt44EPHO2Aw1L7IcnDptcEJyqx0Qk1Zxt7CgwdYpZcwPU3+1j1ShQvzQ= X-Received: by 2002:a67:f6d5:0:b0:398:3cdb:3f99 with SMTP id v21-20020a67f6d5000000b003983cdb3f99mr6561240vso.85.1662991236193; Mon, 12 Sep 2022 07:00:36 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> In-Reply-To: From: paul beard Date: Mon, 12 Sep 2022 07:00:25 -0700 Message-ID: Subject: Re: any nginx/letsencrypt experts out there? To: Ty John Cc: freebsd-questions Content-Type: multipart/alternative; boundary="000000000000e5e78505e87b5126" X-Rspamd-Queue-Id: 4MR7Xj44Rkz3tpV X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=RlUi+Nax; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of paulbeard@gmail.com designates 2607:f8b0:4864:20::e2a as permitted sender) smtp.mailfrom=paulbeard@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2a:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROMTLD(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_ALL(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --000000000000e5e78505e87b5126 Content-Type: text/plain; charset="UTF-8" On Sun, Sep 11, 2022 at 9:27 PM paul beard wrote: > > > On Sun, Sep 11, 2022 at 9:11 PM Ty John wrote: > >> >> >> >> >> >> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >> >> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> wrote: >> > > >> > > That order should be fine. The more specific locations should be >> listed first which is what you have. The redirect will trigger a new >> request which will match the first stanza. >> > > >> > > Anyway, it looks fine to me as long as the certs themselves are >> right. >> > > I just checked the certs on https://paulbeard.org, >> https://www.paulbeard.org and https://cloud.paulbeard.org and they all >> seem fine to me. >> > > I suspect it might be a browser issue as you mentioned. What happens >> in safari? >> >> > Hmm. So Safari is still having issues. It is able to load the root as www.paulbeard.org but not without it. And the link to wordpress explicitly uses www but it gets rewritten without and then fails for lack of a secure connection. I'll need to track down how that rewriting is happening. Who knew Safari was so rigorous? This is the unadorned/non-www stanza: do I even need that in the year 2022? 71 server { 72 #listen 443 ssl http2; 73 listen [::]:443 ssl http2; 74 server_name paulbeard.org; 75 # if ($request ~* https://paulbeard.org) { 76 # return 301 https://www.paulbeard.org; 77 # } 78 ssl_certificate /usr/local/etc/letsencrypt/live/ paulbeard.org/fullchain.pem; # managed by Certbot 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ paulbeard.org/privkey.pem; # managed by Certbot 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot 82 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; 84 # add Strict-Transport-Security to prevent man in the middle attacks 85 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ 87 #return 301 https://$host$request_uri; 88 89 90 root /usr/local/www/; 91 disable_symlinks off; 92 93 } --000000000000e5e78505e87b5126 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sun, Sep 11, 2022 at 9:27 PM paul = beard <paulbeard@gmail.com>= ; wrote:


On= Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote:





---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble=C2=A0 wrote ---

=C2=A0> On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> wrote: =C2=A0> >
=C2=A0> > That order should be fine. The more specific locations shou= ld be listed first which is what you have. The redirect will trigger a new = request which will match the first stanza.
=C2=A0> >
=C2=A0> > Anyway, it looks fine to me as long as the certs themselves= are right.
=C2=A0> > I just checked the certs on https://paulbeard.org, https:/= /www.paulbeard.org and https://cloud.paulbeard.org and they all s= eem fine to me.
=C2=A0> > I suspect it might be a browser issue as you mentioned. Wha= t happens in safari?



Hmm. So Safari is still having issues. It is able to load the root as www.paulbeard.org but not without it.= And the link to wordpress explicitly uses www but it gets rewritten withou= t and then fails for lack of a secure connection. I'll need to track do= wn how that rewriting is happening. Who knew Safari was so rigorous?=C2=A0<= /div>

This is the unadorned/non-www stanza: do I even ne= ed that in the year 2022?=C2=A0

=C2=A0 =C2=A0 =C2=A0= 71 =C2=A0 =C2=A0 server = {

=C2=A0=C2= =A0 =C2=A0 72 =C2=A0 =C2= =A0 #listen 443 ssl http2;

=C2=A0=C2= =A0 =C2=A0 73 =C2=A0 =C2= =A0 listen [::]:443 ssl http2;

=C2=A0=C2= =A0 =C2=A0 74 =C2=A0 =C2= =A0 server_name=C2=A0 paulbeard.org;

=C2=A0=C2= =A0 =C2=A0 75 #=C2=A0 = =C2=A0 if ($request ~* https://pau= lbeard.org) {

=C2=A0=C2= =A0 =C2=A0 76 #=C2=A0 = =C2=A0 return 301 https://www.= paulbeard.org;

=C2=A0=C2= =A0 =C2=A0 77 #=C2=A0 = =C2=A0 }

=C2=A0=C2= =A0 =C2=A0 78 =C2=A0 =C2= =A0 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed b= y Certbot

=C2=A0=C2= =A0 =C2=A0 79 =C2=A0 =C2= =A0 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed b= y Certbot

=C2=A0=C2= =A0 =C2=A0 80 =C2=A0 =C2= =A0 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # man= aged by Certbot

=C2=A0=C2= =A0 =C2=A0 81 =C2=A0 =C2= =A0 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # manag= ed by Certbot

=C2=A0=C2= =A0 =C2=A0 82

=C2=A0=C2= =A0 =C2=A0 83 =C2=A0 =C2= =A0 add_header X-Clacks-Overhead "GNU Terry Pratchett";

=C2=A0=C2= =A0 =C2=A0 84 =C2=A0 =C2= =A0 # add Strict-Transport-Security to prevent man in the middle att= acks

=C2=A0=C2= =A0 =C2=A0 85 =C2=A0 =C2= =A0 add_header Strict-Transport-Security "max-age=3D15552000; i= ncludeSubDomains" always;

=C2=A0=C2= =A0 =C2=A0 86 =C2=A0 =C2= =A0 #rewrite ^(.*) https://www= .paulbeard.org$1 permanent; #+

=C2=A0=C2= =A0 =C2=A0 87 =C2=A0 =C2= =A0 #return=C2=A0 =C2=A0= =C2=A0 301 https://$host$request_uri;

=C2=A0=C2= =A0 =C2=A0 88

=C2=A0=C2= =A0 =C2=A0 89

=C2=A0=C2= =A0 =C2=A0 90 =C2=A0 =C2= =A0 root =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 /usr/local/www/;

=C2=A0=C2= =A0 =C2=A0 91 =C2=A0 =C2= =A0 disable_symlinks off;

=C2=A0=C2= =A0 =C2=A0 92

=C2=A0=C2= =A0 =C2=A0 93 }



--000000000000e5e78505e87b5126--