Date: Mon, 12 Sep 2022 14:22:51 +0000 From: Waitman Gobble <gobble.wa@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg@mail.gmail.com> In-Reply-To: <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com> <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> wrote: > > > > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote: >> >> >> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote: >>> >>> >>> >>> >>> >>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >>> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> wrote= : >>> > > >>> > > That order should be fine. The more specific locations should be l= isted first which is what you have. The redirect will trigger a new request= which will match the first stanza. >>> > > >>> > > Anyway, it looks fine to me as long as the certs themselves are ri= ght. >>> > > I just checked the certs on https://paulbeard.org, https://www.pau= lbeard.org and https://cloud.paulbeard.org and they all seem fine to me. >>> > > I suspect it might be a browser issue as you mentioned. What happe= ns in safari? >>> >> > > Hmm. So Safari is still having issues. It is able to load the root as www= .paulbeard.org but not without it. And the link to wordpress explicitly use= s www but it gets rewritten without and then fails for lack of a secure con= nection. I'll need to track down how that rewriting is happening. Who knew = Safari was so rigorous? > > This is the unadorned/non-www stanza: do I even need that in the year 202= 2? > > 71 server { > > 72 #listen 443 ssl http2; > > 73 listen [::]:443 ssl http2; > > 74 server_name paulbeard.org; > > 75 # if ($request ~* https://paulbeard.org) { > > 76 # return 301 https://www.paulbeard.org; > > 77 # } > > 78 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org= /fullchain.pem; # managed by Certbot > > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard= .org/privkey.pem; # managed by Certbot > > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # = managed by Certbot > > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # ma= naged by Certbot > > 82 > > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; > > 84 # add Strict-Transport-Security to prevent man in the middle = attacks > > 85 add_header Strict-Transport-Security "max-age=3D15552000; inc= ludeSubDomains" always; > > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ > > 87 #return 301 https://$host$request_uri; > > 88 > > 89 > > 90 root /usr/local/www/; > > 91 disable_symlinks off; > > 92 > > 93 } > > > Maybe your certs are kinda jumbled up? It seems requests to cloud.paulbeard.org returns cert for CN=3Dpaulbeard.org, while requests to paulbeard.org, www.paulbeard.org return cert for cloud.paulbeard.org =CE=BB #~> openssl s_client -showcerts -connect cloud.paulbeard.org:443 CONNECTED(00000004) depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo= t X1 verify return:1 depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3 verify return:1 depth=3D0 CN =3D paulbeard.org verify return:1 --- Certificate chain 0 s:CN =3D paulbeard.org i:C =3D US, O =3D Let's Encrypt, CN =3D R3 =CE=BB #~> openssl s_client -showcerts -connect paulbeard.org:443 CONNECTED(00000004) depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo= t X1 verify return:1 depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3 verify return:1 depth=3D0 CN =3D cloud.paulbeard.org verify return:1 --- Certificate chain 0 s:CN =3D cloud.paulbeard.org i:C =3D US, O =3D Let's Encrypt, CN =3D R3 =CE=BB #~> openssl s_client -showcerts -connect www.paulbeard.org:443 CONNECTED(00000004) depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo= t X1 verify return:1 depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3 verify return:1 depth=3D0 CN =3D cloud.paulbeard.org verify return:1 --- Certificate chain 0 s:CN =3D cloud.paulbeard.org i:C =3D US, O =3D Let's Encrypt, CN =3D R3 --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg>