Date: Mon, 12 Sep 2022 11:45:04 -0700 From: paul beard <paulbeard@gmail.com> To: Waitman Gobble <gobble.wa@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAMtcK2qFcNaqJy1sQhqpzDTQN=bfZ3SCyqNa%2BbE0xwwZM5xL5g@mail.gmail.com> In-Reply-To: <CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com> <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com> <CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000e912c705e87f4b00 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com> wrote: > On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> wrote: > > > > > > > > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote: > >> > >> > >> > >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote: > >>> > >>> > >>> > >>> > >>> > >>> > >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- > >>> > >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> > wrote: > >>> > > > >>> > > That order should be fine. The more specific locations should be > listed first which is what you have. The redirect will trigger a new > request which will match the first stanza. > >>> > > > >>> > > Anyway, it looks fine to me as long as the certs themselves are > right. > >>> > > I just checked the certs on https://paulbeard.org, > https://www.paulbeard.org and https://cloud.paulbeard.org and they all > seem fine to me. > >>> > > I suspect it might be a browser issue as you mentioned. What > happens in safari? > >>> > >> > > > > Hmm. So Safari is still having issues. It is able to load the root as > www.paulbeard.org but not without it. And the link to wordpress > explicitly uses www but it gets rewritten without and then fails for lack > of a secure connection. I'll need to track down how that rewriting is > happening. Who knew Safari was so rigorous? > > > > This is the unadorned/non-www stanza: do I even need that in the year > 2022? > > > > 71 server { > > > > 72 #listen 443 ssl http2; > > > > 73 listen [::]:443 ssl http2; > > > > 74 server_name paulbeard.org; > > > > 75 # if ($request ~* https://paulbeard.org) { > > > > 76 # return 301 https://www.paulbeard.org; > > > > 77 # } > > > > 78 ssl_certificate /usr/local/etc/letsencrypt/live/ > paulbeard.org/fullchain.pem; # managed by Certbot > > > > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ > paulbeard.org/privkey.pem; # managed by Certbot > > > > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; = # > managed by Certbot > > > > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # > managed by Certbot > > > > 82 > > > > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; > > > > 84 # add Strict-Transport-Security to prevent man in the middl= e > attacks > > > > 85 add_header Strict-Transport-Security "max-age=3D15552000; > includeSubDomains" always; > > > > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ > > > > 87 #return 301 https://$host$request_uri; > > > > 88 > > > > 89 > > > > 90 root /usr/local/www/; > > > > 91 disable_symlinks off; > > > > 92 > > > > 93 } > > > > > > > > > > Maybe your certs are kinda jumbled up? > > This is pretty accurate. I realized I wasn't pulling a certificate for the base domain/host name, since i had commented it out in the config. Seems like things have gotten jumbled indeed. I don't touch any of the config that certbot adds so I am wary of how I can unmuddle it. I have since restored that but now I see what I think is the real problem. This is the full list of certs I have=E2=80=A6I seem to have gotten host an= d domain mixed up here, as these are hosts, not domains, and ideally should have just one certificate for all of them. Some cleanup seems to be required. Found the following certs: Certificate Name: cloud.paulbeard.org Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330 Key Type: RSA Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days) Certificate Path: /usr/local/etc/letsencrypt/live/ cloud.paulbeard.org/fullchain.pem Private Key Path: /usr/local/etc/letsencrypt/live/ cloud.paulbeard.org/privkey.pem Certificate Name: paulbeard.org Serial Number: 44c82383b1da739543404608a77c9174d79 Key Type: RSA Domains: paulbeard.org Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days) Certificate Path: /usr/local/etc/letsencrypt/live/ paulbeard.org/fullchain.pem Private Key Path: /usr/local/etc/letsencrypt/live/ paulbeard.org/privkey.pem Certificate Name: www.paulbeard.org-0001 Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13 Key Type: RSA Domains: www.paulbeard.org Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days) Certificate Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem Private Key Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem Certificate Name: www.paulbeard.org Serial Number: 4a730b954fead25d08fb8281c374c11014e Key Type: RSA Domains: cloud.paulbeard.org www.paulbeard.org Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days) Certificate Path: /usr/local/etc/letsencrypt/live/ www.paulbeard.org/fullchain.pem Private Key Path: /usr/local/etc/letsencrypt/live/ www.paulbeard.org/privkey.pem > It seems requests to cloud.paulbeard.org returns cert for > CN=3Dpaulbeard.org, while requests to paulbeard.org, www.paulbeard.org > return cert for cloud.paulbeard.org > > =CE=BB #~> openssl s_client -showcerts -connect cloud.paulbeard.org:443 > CONNECTED(00000004) > depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG R= oot X1 > verify return:1 > depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3 > verify return:1 > depth=3D0 CN =3D paulbeard.org > verify return:1 > --- > Certificate chain > 0 s:CN =3D paulbeard.org > i:C =3D US, O =3D Let's Encrypt, CN =3D R3 > > > =CE=BB #~> openssl s_client -showcerts -connect paulbeard.org:443 > CONNECTED(00000004) > depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG R= oot X1 > verify return:1 > depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3 > verify return:1 > depth=3D0 CN =3D cloud.paulbeard.org > verify return:1 > --- > Certificate chain > 0 s:CN =3D cloud.paulbeard.org > i:C =3D US, O =3D Let's Encrypt, CN =3D R3 > > =CE=BB #~> openssl s_client -showcerts -connect www.paulbeard.org:443 > CONNECTED(00000004) > depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG R= oot X1 > verify return:1 > depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3 > verify return:1 > depth=3D0 CN =3D cloud.paulbeard.org > verify return:1 > --- > Certificate chain > 0 s:CN =3D cloud.paulbeard.org > i:C =3D US, O =3D Let's Encrypt, CN =3D R3 > > > > -- > > --=20 Paul Beard / www.paulbeard.org/ --000000000000e912c705e87f4b00 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, Sep 12, 2022 at 7:23 AM Waitm= an Gobble <<a href=3D"mailto:gobble.wa@gmail.com">gobble.wa@gmail.com</a= >> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px= 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-co= lor:rgb(204,204,204);padding-left:1ex">On Mon, Sep 12, 2022 at 2:01 PM paul= beard <<a href=3D"mailto:paulbeard@gmail.com" target=3D"_blank">paulbea= rd@gmail.com</a>> wrote:<br> ><br> ><br> ><br> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <<a href=3D"mailto:paulb= eard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> wrote:<br> >><br> >><br> >><br> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <<a href=3D"mailto:ty-m= l@eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-odin.com</a>> wrote:<b= r> >>><br> >>><br> >>><br> >>><br> >>><br> >>><br> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble=C2=A0 w= rote ---<br> >>><br> >>>=C2=A0 > On Mon, Sep 12, 2022 at 2:42 AM Ty John <a href=3D"= mailto:ty-ml@eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-odin.com</a>&g= t; wrote:<br> >>>=C2=A0 > ><br> >>>=C2=A0 > > That order should be fine. The more specific l= ocations should be listed first which is what you have. The redirect will t= rigger a new request which will match the first stanza.<br> >>>=C2=A0 > ><br> >>>=C2=A0 > > Anyway, it looks fine to me as long as the cer= ts themselves are right.<br> >>>=C2=A0 > > I just checked the certs on <a href=3D"https:/= /paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://paulbeard.org<= /a>, <a href=3D"https://www.paulbeard.org" rel=3D"noreferrer" target=3D"_bl= ank">https://www.paulbeard.org</a>; and <a href=3D"https://cloud.paulbeard.o= rg" rel=3D"noreferrer" target=3D"_blank">https://cloud.paulbeard.org</a>; an= d they all seem fine to me.<br> >>>=C2=A0 > > I suspect it might be a browser issue as you m= entioned. What happens in safari?<br> >>><br> >><br> ><br> > Hmm. So Safari is still having issues. It is able to load the root as = <a href=3D"http://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">w= ww.paulbeard.org</a> but not without it. And the link to wordpress explicit= ly uses www but it gets rewritten without and then fails for lack of a secu= re connection. I'll need to track down how that rewriting is happening.= Who knew Safari was so rigorous?<br> ><br> > This is the unadorned/non-www stanza: do I even need that in the year = 2022?<br> ><br> >=C2=A0 =C2=A0 =C2=A0 71=C2=A0 =C2=A0 =C2=A0server {<br> ><br> >=C2=A0 =C2=A0 =C2=A0 72=C2=A0 =C2=A0 =C2=A0#listen 443 ssl http2;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 73=C2=A0 =C2=A0 =C2=A0listen [::]:443 ssl http2;<b= r> ><br> >=C2=A0 =C2=A0 =C2=A0 74=C2=A0 =C2=A0 =C2=A0server_name=C2=A0 <a href=3D= "http://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">paulbeard.org</= a>;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 75 #=C2=A0 =C2=A0 if ($request ~* <a href=3D"https= ://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://paulbeard.or= g</a>) {<br> ><br> >=C2=A0 =C2=A0 =C2=A0 76 #=C2=A0 =C2=A0 return 301 <a href=3D"https://ww= w.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org</a>;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 77 #=C2=A0 =C2=A0 }<br> ><br> >=C2=A0 =C2=A0 =C2=A0 78=C2=A0 =C2=A0 =C2=A0ssl_certificate /usr/local/e= tc/letsencrypt/live/<a href=3D"http://paulbeard.org/fullchain.pem" rel=3D"n= oreferrer" target=3D"_blank">paulbeard.org/fullchain.pem</a>; # managed by = Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 79=C2=A0 =C2=A0 =C2=A0ssl_certificate_key /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/privkey.pem" rel=3D= "noreferrer" target=3D"_blank">paulbeard.org/privkey.pem</a>; # managed by = Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 80=C2=A0 =C2=A0 =C2=A0include /usr/local/etc/letse= ncrypt/options-ssl-nginx.conf; # managed by Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 81=C2=A0 =C2=A0 =C2=A0ssl_dhparam /usr/local/etc/l= etsencrypt/ssl-dhparams.pem; # managed by Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 82<br> ><br> >=C2=A0 =C2=A0 =C2=A0 83=C2=A0 =C2=A0 =C2=A0add_header X-Clacks-Overhead= "GNU Terry Pratchett";<br> ><br> >=C2=A0 =C2=A0 =C2=A0 84=C2=A0 =C2=A0 =C2=A0# add Strict-Transport-Secur= ity to prevent man in the middle attacks<br> ><br> >=C2=A0 =C2=A0 =C2=A0 85=C2=A0 =C2=A0 =C2=A0add_header Strict-Transport-= Security "max-age=3D15552000; includeSubDomains" always;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 86=C2=A0 =C2=A0 =C2=A0#rewrite ^(.*) <a href=3D"ht= tps://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://www.p= aulbeard.org</a>$1 permanent; #+<br> ><br> >=C2=A0 =C2=A0 =C2=A0 87=C2=A0 =C2=A0 =C2=A0#return=C2=A0 =C2=A0 =C2=A0 = 301 https://$host$request_uri;<br>; ><br> >=C2=A0 =C2=A0 =C2=A0 88<br> ><br> >=C2=A0 =C2=A0 =C2=A0 89<br> ><br> >=C2=A0 =C2=A0 =C2=A0 90=C2=A0 =C2=A0 =C2=A0root=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0/usr/local/www/;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 91=C2=A0 =C2=A0 =C2=A0disable_symlinks off;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 92<br> ><br> >=C2=A0 =C2=A0 =C2=A0 93 }<br> ><br> ><br> ><br> <br> <br> <br> Maybe your certs are kinda jumbled up?<br> <br></blockquote><div><br></div><div>This is pretty accurate. I realized I = wasn't pulling a certificate for the base domain/host name, since i had= commented it out in the config. Seems like things have gotten jumbled inde= ed. I don't touch any of the config that certbot adds so I am wary of h= ow I can unmuddle it. I have since restored that but now I see what I think= is the real problem.=C2=A0</div><div><br></div><div>This is the full list = of certs I have=E2=80=A6I seem to have gotten host and domain mixed up here= , as these are hosts, not domains, and ideally should have just one certifi= cate for all of them. Some cleanup seems to be required.=C2=A0</div><div><b= r></div><div><p style=3D"margin:0px;font-stretch:normal;font-size:11px;line= -height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-vari= ant-ligatures:no-common-ligatures">Found the following certs:</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 </= span>Certificate Name: <a href=3D"http://cloud.paulbeard.org">cloud.paulbea= rd.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Domains: <a href=3D"http://paulbeard.org">paulbeard.org</a>; <= a href=3D"http://cloud.paulbeard.org">cloud.paulbeard.org</a>; <a href=3D"ht= tp://www.paulbeard.org">www.paulbeard.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days)</span= ></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Certificate Path: /usr/local/etc/letsencrypt/live/<a href=3D"= http://cloud.paulbeard.org/fullchain.pem">cloud.paulbeard.org/fullchain.pem= </a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Private Key Path: /usr/local/etc/letsencrypt/live/<a href=3D"= http://cloud.paulbeard.org/privkey.pem">cloud.paulbeard.org/privkey.pem</a>= </span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 </= span>Certificate Name: <a href=3D"http://paulbeard.org">paulbeard.org</a></= span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Serial Number: 44c82383b1da739543404608a77c9174d79</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Domains: <a href=3D"http://paulbeard.org">paulbeard.org</a></= span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days)</span= ></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Certificate Path: /usr/local/etc/letsencrypt/live/<a href=3D"= http://paulbeard.org/fullchain.pem">paulbeard.org/fullchain.pem</a></span><= /p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Private Key Path: /usr/local/etc/letsencrypt/live/<a href=3D"= http://paulbeard.org/privkey.pem">paulbeard.org/privkey.pem</a></span></p>; <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 </= span>Certificate Name: www.paulbeard.org-0001</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Domains: <a href=3D"http://www.paulbeard.org">www.paulbeard.o= rg</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days)</span= ></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Certificate Path: /usr/local/etc/letsencrypt/live/www.paulbea= rd.org-0001/fullchain.pem</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Private Key Path: /usr/local/etc/letsencrypt/live/www.paulbea= rd.org-0001/privkey.pem</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 </= span>Certificate Name: <a href=3D"http://www.paulbeard.org">www.paulbeard.o= rg</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Serial Number: 4a730b954fead25d08fb8281c374c11014e</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Domains: <a href=3D"http://cloud.paulbeard.org">cloud.paulbea= rd.org</a> <a href=3D"http://www.paulbeard.org">www.paulbeard.org</a></span= ></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days)</span= ></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Certificate Path: /usr/local/etc/letsencrypt/live/<a href=3D"= http://www.paulbeard.org/fullchain.pem">www.paulbeard.org/fullchain.pem</a>= </span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0 = =C2=A0 </span>Private Key Path: /usr/local/etc/letsencrypt/live/<a href=3D"= http://www.paulbeard.org/privkey.pem">www.paulbeard.org/privkey.pem</a></sp= an></p> <br class=3D"gmail-Apple-interchange-newline"></div><div><br></div><div><br= ></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0= px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-= color:rgb(204,204,204);padding-left:1ex"> It seems requests to <a href=3D"http://cloud.paulbeard.org" rel=3D"noreferr= er" target=3D"_blank">cloud.paulbeard.org</a> returns cert for<br> CN=3D<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">= paulbeard.org</a>, while requests to <a href=3D"http://paulbeard.org" rel= =3D"noreferrer" target=3D"_blank">paulbeard.org</a>, <a href=3D"http://www.= paulbeard.org" rel=3D"noreferrer" target=3D"_blank">www.paulbeard.org</a><b= r> return cert for <a href=3D"http://cloud.paulbeard.org" rel=3D"noreferrer" t= arget=3D"_blank">cloud.paulbeard.org</a><br> <br> =CE=BB #~> openssl s_client -showcerts -connect <a href=3D"http://cloud.= paulbeard.org:443" rel=3D"noreferrer" target=3D"_blank">cloud.paulbeard.org= :443</a><br> CONNECTED(00000004)<br> depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo= t X1<br> verify return:1<br> depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3<br> verify return:1<br> depth=3D0 CN =3D <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a><br> verify return:1<br> ---<br> Certificate chain<br> =C2=A00 s:CN =3D <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a><br> =C2=A0 =C2=A0i:C =3D US, O =3D Let's Encrypt, CN =3D R3<br> <br> <br> =CE=BB #~> openssl s_client -showcerts -connect <a href=3D"http://paulbe= ard.org:443" rel=3D"noreferrer" target=3D"_blank">paulbeard.org:443</a><br> CONNECTED(00000004)<br> depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo= t X1<br> verify return:1<br> depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3<br> verify return:1<br> depth=3D0 CN =3D <a href=3D"http://cloud.paulbeard.org" rel=3D"noreferrer" = target=3D"_blank">cloud.paulbeard.org</a><br> verify return:1<br> ---<br> Certificate chain<br> =C2=A00 s:CN =3D <a href=3D"http://cloud.paulbeard.org" rel=3D"noreferrer" = target=3D"_blank">cloud.paulbeard.org</a><br> =C2=A0 =C2=A0i:C =3D US, O =3D Let's Encrypt, CN =3D R3<br> <br> =CE=BB #~> openssl s_client -showcerts -connect <a href=3D"http://www.pa= ulbeard.org:443" rel=3D"noreferrer" target=3D"_blank">www.paulbeard.org:443= </a><br> CONNECTED(00000004)<br> depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo= t X1<br> verify return:1<br> depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3<br> verify return:1<br> depth=3D0 CN =3D <a href=3D"http://cloud.paulbeard.org" rel=3D"noreferrer" = target=3D"_blank">cloud.paulbeard.org</a><br> verify return:1<br> ---<br> Certificate chain<br> =C2=A00 s:CN =3D <a href=3D"http://cloud.paulbeard.org" rel=3D"noreferrer" = target=3D"_blank">cloud.paulbeard.org</a><br> =C2=A0 =C2=A0i:C =3D US, O =3D Let's Encrypt, CN =3D R3<br> <br> <br> <br> --<br> <br> </blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"= class=3D"gmail_signature">Paul Beard / <a href=3D"http://www.paulbeard.org= /" target=3D"_blank">www.paulbeard.org/</a><br></div></div> --000000000000e912c705e87f4b00--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMtcK2qFcNaqJy1sQhqpzDTQN=bfZ3SCyqNa%2BbE0xwwZM5xL5g>