Date: Mon, 12 Sep 2022 07:00:25 -0700 From: paul beard <paulbeard@gmail.com> To: Ty John <ty-ml@eye-of-odin.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com> In-Reply-To: <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000e5e78505e87b5126 Content-Type: text/plain; charset="UTF-8" On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote: > > > On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote: > >> >> >> >> >> >> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >> >> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> wrote: >> > > >> > > That order should be fine. The more specific locations should be >> listed first which is what you have. The redirect will trigger a new >> request which will match the first stanza. >> > > >> > > Anyway, it looks fine to me as long as the certs themselves are >> right. >> > > I just checked the certs on https://paulbeard.org, >> https://www.paulbeard.org and https://cloud.paulbeard.org and they all >> seem fine to me. >> > > I suspect it might be a browser issue as you mentioned. What happens >> in safari? >> >> > Hmm. So Safari is still having issues. It is able to load the root as www.paulbeard.org but not without it. And the link to wordpress explicitly uses www but it gets rewritten without and then fails for lack of a secure connection. I'll need to track down how that rewriting is happening. Who knew Safari was so rigorous? This is the unadorned/non-www stanza: do I even need that in the year 2022? 71 server { 72 #listen 443 ssl http2; 73 listen [::]:443 ssl http2; 74 server_name paulbeard.org; 75 # if ($request ~* https://paulbeard.org) { 76 # return 301 https://www.paulbeard.org; 77 # } 78 ssl_certificate /usr/local/etc/letsencrypt/live/ paulbeard.org/fullchain.pem; # managed by Certbot 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ paulbeard.org/privkey.pem; # managed by Certbot 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot 82 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; 84 # add Strict-Transport-Security to prevent man in the middle attacks 85 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ 87 #return 301 https://$host$request_uri; 88 89 90 root /usr/local/www/; 91 disable_symlinks off; 92 93 } --000000000000e5e78505e87b5126 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Sun, Sep 11, 2022 at 9:27 PM paul = beard <<a href=3D"mailto:paulbeard@gmail.com">paulbeard@gmail.com</a>>= ; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px= 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:= rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br></= div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On= Sun, Sep 11, 2022 at 9:11 PM Ty John <<a href=3D"mailto:ty-ml@eye-of-od= in.com" target=3D"_blank">ty-ml@eye-of-odin.com</a>> wrote:<br></div><bl= ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef= t-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padd= ing-left:1ex"><br> <br> <br> <br> <br> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble=C2=A0 wrote ---<br> <br> =C2=A0> On Mon, Sep 12, 2022 at 2:42 AM Ty John <a href=3D"mailto:ty-ml@= eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-odin.com</a>> wrote: <br= > =C2=A0> > <br> =C2=A0> > That order should be fine. The more specific locations shou= ld be listed first which is what you have. The redirect will trigger a new = request which will match the first stanza. <br> =C2=A0> > <br> =C2=A0> > Anyway, it looks fine to me as long as the certs themselves= are right. <br> =C2=A0> > I just checked the certs on <a href=3D"https://paulbeard.or= g" rel=3D"noreferrer" target=3D"_blank">https://paulbeard.org</a>, <a href= =3D"https://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https:/= /www.paulbeard.org</a> and <a href=3D"https://cloud.paulbeard.org" rel=3D"n= oreferrer" target=3D"_blank">https://cloud.paulbeard.org</a>; and they all s= eem fine to me. <br> =C2=A0> > I suspect it might be a browser issue as you mentioned. Wha= t happens in safari? <br> <br></blockquote><div><br></div></div></div></blockquote><div><br></div><di= v>Hmm. So Safari is still having issues. It is able to load the root as <a = href=3D"http://www.paulbeard.org">www.paulbeard.org</a>; but not without it.= And the link to wordpress explicitly uses www but it gets rewritten withou= t and then fails for lack of a secure connection. I'll need to track do= wn how that rewriting is happening. Who knew Safari was so rigorous?=C2=A0<= /div><div><br></div><div>This is the unadorned/non-www stanza: do I even ne= ed that in the year 2022?=C2=A0</div><div><br></div><div><p style=3D"margin= :0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menl= o;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures:no-common-ligatur= es"><span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0</span>= 71 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 </span>server = {</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>72 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>#listen 443 ssl http2;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>73 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>listen [::]:443 ssl http2;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>74 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>server_name<span class=3D"gmail-Apple-converted-space">=C2=A0 </= span><a href=3D"http://paulbeard.org">paulbeard.org</a>;</span></p>; <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>75 #<span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>if ($request ~* <a href=3D"https://paulbeard.org">https://pau= lbeard.org</a>) {</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>76 #<span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>return 301 <a href=3D"https://www.paulbeard.org">https://www.= paulbeard.org</a>;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>77 #<span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>}</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>78 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>ssl_certificate /usr/local/etc/letsencrypt/live/<a href=3D"http:= //paulbeard.org/fullchain.pem">paulbeard.org/fullchain.pem</a>; # managed b= y Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>79 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>ssl_certificate_key /usr/local/etc/letsencrypt/live/<a href=3D"h= ttp://paulbeard.org/privkey.pem">paulbeard.org/privkey.pem</a>; # managed b= y Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>80 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # man= aged by Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>81 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # manag= ed by Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>82</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>83 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>add_header X-Clacks-Overhead "GNU Terry Pratchett";</s= pan></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>84 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span># add Strict-Transport-Security to prevent man in the middle att= acks</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>85 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>add_header Strict-Transport-Security "max-age=3D15552000; i= ncludeSubDomains" always;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>86 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>#rewrite ^(.*) <a href=3D"https://www.paulbeard.org">https://www= .paulbeard.org</a>$1 permanent; #+</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>87 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>#return<span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0= =C2=A0 </span>301 https://$host$request_uri;</span></p>; <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>88</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>89</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>90 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>root <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 </span>/usr/local/www/;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>91 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>disable_symlinks off;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>92</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>93 }</span></p> <br class=3D"gmail-Apple-interchange-newline"></div></div><div dir=3D"ltr" = class=3D"gmail_signature"><br></div></div> --000000000000e5e78505e87b5126--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A>