From nobody Mon Sep 12 23:46:18 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MRNXl41xJz4bgnn for ; Mon, 12 Sep 2022 23:46:31 +0000 (UTC) (envelope-from paulbeard@gmail.com) Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MRNXk3lhzz3xWw for ; Mon, 12 Sep 2022 23:46:30 +0000 (UTC) (envelope-from paulbeard@gmail.com) Received: by mail-vs1-xe34.google.com with SMTP id o123so10686589vsc.3 for ; Mon, 12 Sep 2022 16:46:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=Upulubzh8PRIYe87gnU4T4oTBARNy3vsoUbChLkedcA=; b=SQwFltxeLVdXU5myOsF+0IxeOGQH9eTjXts5SO0jOL0chGNyKwn/9iG7Zux2lyRUEJ EQDHWBaVx4YItrXqOaVta4EGqkIpW721qi9PeNBELubS/uFAHbmSyRXmBisowUPMd0GV N1ZmebWqsbwWtAZoee53TKYV0A56YVkCOyZI64zHxMCuQqrPgQ/T0x/KRO4XjB+QSoxW 2NQDP2dOuvUnICW6xqFYp39nJjSLUhAolPEdFZp+rA3RTlsmKb2XyeDw0PHTfSLqOInT 5bDLLr141bDvWFwGmsE0cssVoNDYBvBbqb0FIiFMsgGSLYgSoe4raUTNE6LD1TJKHzRf l8/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=Upulubzh8PRIYe87gnU4T4oTBARNy3vsoUbChLkedcA=; b=aZjxBWHWi0FQElqKjqL+p3dlkgqkZitpFA2DaKx90+0q1aktanype4mxN7EAIoP90R T/+8YowjTgJDpYLDnEnjg7UijZ8by1m1vAowNFbexJxt8pYLC83F2Ju1MzZJCIeK24m+ rtqv2GT+JOOda50Cj3hJ8axL17rOAFggpFMCD2hGwDAsA1082gw2WQ64ZQ5WYPrSaag2 grN4F9EN4QzzHx0O6y/aowAFkmc7u3wMdRok3tiud7z07xf9SMRbrfMUGG4jzsYfd9AB cuQHbeGjphEF1YN7MsJvfWId+MQpkjAqGPfk+VFyZJ4bWSucdsWp4msoofj4fMXK4oB3 UtYA== X-Gm-Message-State: ACgBeo2ZGPKQIwAMKicepXgFcbkOk/rfGHW6KZqFWwyIWxQY3Snv6Z2q 19HOgHSJW1tBBiwyoZ+W4mipkGiqmkBrG7DJjeHGUbo/0Ks= X-Google-Smtp-Source: AA6agR5yf05P2yDtEF+WlMsBjRwznJohFHbVSQgkfxVBDNAFK7dFRD5FVfp2aAn5B7aqTdU8MLOW4n19so0LAmCYaIs= X-Received: by 2002:a67:f6d5:0:b0:398:3cdb:3f99 with SMTP id v21-20020a67f6d5000000b003983cdb3f99mr7423249vso.85.1663026389230; Mon, 12 Sep 2022 16:46:29 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> In-Reply-To: From: paul beard Date: Mon, 12 Sep 2022 16:46:18 -0700 Message-ID: Subject: Re: any nginx/letsencrypt experts out there? To: Waitman Gobble Cc: freebsd-questions Content-Type: multipart/alternative; boundary="0000000000002ea8b005e8838150" X-Rspamd-Queue-Id: 4MRNXk3lhzz3xWw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=SQwFltxe; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of paulbeard@gmail.com designates 2607:f8b0:4864:20::e34 as permitted sender) smtp.mailfrom=paulbeard@gmail.com X-Spamd-Result: default: False [-2.27 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.99)[-0.993]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_MEDIUM(-0.27)[-0.274]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DKIM_TRACE(0.00)[gmail.com:+]; TAGGED_RCPT(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e34:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROMTLD(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; TO_DN_ALL(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --0000000000002ea8b005e8838150 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Sep 12, 2022 at 11:45 AM paul beard wrote: > > > On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble > wrote: > >> On Mon, Sep 12, 2022 at 2:01 PM paul beard wrote: >> > >> > >> > >> > On Sun, Sep 11, 2022 at 9:27 PM paul beard wrote= : >> >> >> >> >> >> >> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John wrote= : >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >> >>> >> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> >> wrote: >> >>> > > >> >>> > > That order should be fine. The more specific locations should b= e >> listed first which is what you have. The redirect will trigger a new >> request which will match the first stanza. >> >>> > > >> >>> > > Anyway, it looks fine to me as long as the certs themselves are >> right. >> >>> > > I just checked the certs on https://paulbeard.org, >> https://www.paulbeard.org and https://cloud.paulbeard.org and they all >> seem fine to me. >> >>> > > I suspect it might be a browser issue as you mentioned. What >> happens in safari? >> >>> >> >> >> > >> > Hmm. So Safari is still having issues. It is able to load the root as >> www.paulbeard.org but not without it. And the link to wordpress >> explicitly uses www but it gets rewritten without and then fails for lac= k >> of a secure connection. I'll need to track down how that rewriting is >> happening. Who knew Safari was so rigorous? >> > >> > This is the unadorned/non-www stanza: do I even need that in the year >> 2022? >> > >> > 71 server { >> > >> > 72 #listen 443 ssl http2; >> > >> > 73 listen [::]:443 ssl http2; >> > >> > 74 server_name paulbeard.org; >> > >> > 75 # if ($request ~* https://paulbeard.org) { >> > >> > 76 # return 301 https://www.paulbeard.org; >> > >> > 77 # } >> > >> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/ >> paulbeard.org/fullchain.pem; # managed by Certbot >> > >> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ >> paulbeard.org/privkey.pem; # managed by Certbot >> > >> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; >> # managed by Certbot >> > >> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # >> managed by Certbot >> > >> > 82 >> > >> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; >> > >> > 84 # add Strict-Transport-Security to prevent man in the >> middle attacks >> > >> > 85 add_header Strict-Transport-Security "max-age=3D15552000; >> includeSubDomains" always; >> > >> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ >> > >> > 87 #return 301 https://$host$request_uri; >> > >> > 88 >> > >> > 89 >> > >> > 90 root /usr/local/www/; >> > >> > 91 disable_symlinks off; >> > >> > 92 >> > >> > 93 } >> > >> > >> > >> >> >> >> Maybe your certs are kinda jumbled up? >> >> > This is pretty accurate. I realized I wasn't pulling a certificate for th= e > base domain/host name, since i had commented it out in the config. Seems > like things have gotten jumbled indeed. I don't touch any of the config > that certbot adds so I am wary of how I can unmuddle it. I have since > restored that but now I see what I think is the real problem. > > This is the full list of certs I have=E2=80=A6I seem to have gotten host = and > domain mixed up here, as these are hosts, not domains, and ideally should > have just one certificate for all of them. Some cleanup seems to be > required. > > Found the following certs: > > Certificate Name: cloud.paulbeard.org > > Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330 > > Key Type: RSA > > Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org > > Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days) > > Certificate Path: /usr/local/etc/letsencrypt/live/ > cloud.paulbeard.org/fullchain.pem > > Private Key Path: /usr/local/etc/letsencrypt/live/ > cloud.paulbeard.org/privkey.pem > > Certificate Name: paulbeard.org > > Serial Number: 44c82383b1da739543404608a77c9174d79 > > Key Type: RSA > > Domains: paulbeard.org > > Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days) > > Certificate Path: /usr/local/etc/letsencrypt/live/ > paulbeard.org/fullchain.pem > > Private Key Path: /usr/local/etc/letsencrypt/live/ > paulbeard.org/privkey.pem > > Certificate Name: www.paulbeard.org-0001 > > Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13 > > Key Type: RSA > > Domains: www.paulbeard.org > > Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days) > > Certificate Path: > /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem > > Private Key Path: > /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem > > Certificate Name: www.paulbeard.org > > Serial Number: 4a730b954fead25d08fb8281c374c11014e > > Key Type: RSA > > Domains: cloud.paulbeard.org www.paulbeard.org > > Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days) > > Certificate Path: /usr/local/etc/letsencrypt/live/ > www.paulbeard.org/fullchain.pem > > Private Key Path: /usr/local/etc/letsencrypt/live/ > www.paulbeard.org/privkey.pem > Some things about this are not making sense=E2=80=A6sometimes the wordpress= pages will load but not always. Sometimes different servers answer to the generic "paulbeard.org" URI (the cloud instance, for some reason, would be served). Something to do with listen [::]:443 ssl http2; being set which makes no sense at all. I have removed it everywhere for now. IP6 traffic is far down my list of things to be bothered with. My main issue seems to be URI rewriting that I can't seem to find in the config. I get an error about 20 redirects and I don't see where that is happening. The rewrites are being logged=E2=80=A6 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" This is the paulbeard.org stanza: 74 server { 75 listen 443 ssl http2; 76 server_name paulbeard.org; 77 root /usr/local/www/; 78 ssl_certificate /usr/local/etc/letsencrypt/live/ paulbeard.org/fullchain.pem; # managed by Certbot 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ paulbeard.org/privkey.pem; # managed by Certbot 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot 82 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; 84 # add Strict-Transport-Security to prevent man in the middle attacks 85 add_header Strict-Transport-Security "max-age=3D15552000; includeSubDomains" always; 86 rewrite ^(.*) https://www.paulbeard.org$1 permanent; 87 #return 301 https://$host$request_uri; 88 89 90 disable_symlinks off; 91 92 } The only active thing that looks like a rewrite is on line 86 and if I comment that out, the php pages are downloaded, rather than parsed and displayed. That's not what I want. I have no idea how this got so messed up. I am working from a config that worked 3-4 days ago. I tried ripping out that stanza but something somewhere depends on it. --=20 Paul Beard / www.paulbeard.org/ --0000000000002ea8b005e8838150 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Mon, Sep 12, 2022 at 11:45 AM paul= beard <paulbeard@gmail.com&g= t; wrote:

<= /div>
O= n Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com> wrote:
On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> = wrote:
>
>
>
> On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote:
>>
>>
>>
>> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote: >>>
>>>
>>>
>>>
>>>
>>>
>>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble=C2=A0 w= rote ---
>>>
>>>=C2=A0 > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com&g= t; wrote:
>>>=C2=A0 > >
>>>=C2=A0 > > That order should be fine. The more specific l= ocations should be listed first which is what you have. The redirect will t= rigger a new request which will match the first stanza.
>>>=C2=A0 > >
>>>=C2=A0 > > Anyway, it looks fine to me as long as the cer= ts themselves are right.
>>>=C2=A0 > > I just checked the certs on https://paulbeard.org<= /a>, https://www.paulbeard.org and https://cloud.paulbeard.org an= d they all seem fine to me.
>>>=C2=A0 > > I suspect it might be a browser issue as you m= entioned. What happens in safari?
>>>
>>
>
> Hmm. So Safari is still having issues. It is able to load the root as = w= ww.paulbeard.org but not without it. And the link to wordpress explicit= ly uses www but it gets rewritten without and then fails for lack of a secu= re connection. I'll need to track down how that rewriting is happening.= Who knew Safari was so rigorous?
>
> This is the unadorned/non-www stanza: do I even need that in the year = 2022?
>
>=C2=A0 =C2=A0 =C2=A0 71=C2=A0 =C2=A0 =C2=A0server {
>
>=C2=A0 =C2=A0 =C2=A0 72=C2=A0 =C2=A0 =C2=A0#listen 443 ssl http2;
>
>=C2=A0 =C2=A0 =C2=A0 73=C2=A0 =C2=A0 =C2=A0listen [::]:443 ssl http2; >
>=C2=A0 =C2=A0 =C2=A0 74=C2=A0 =C2=A0 =C2=A0server_name=C2=A0 paulbeard.org;
>
>=C2=A0 =C2=A0 =C2=A0 75 #=C2=A0 =C2=A0 if ($request ~* https://paulbeard.or= g) {
>
>=C2=A0 =C2=A0 =C2=A0 76 #=C2=A0 =C2=A0 return 301 https://www.paulbeard= .org;
>
>=C2=A0 =C2=A0 =C2=A0 77 #=C2=A0 =C2=A0 }
>
>=C2=A0 =C2=A0 =C2=A0 78=C2=A0 =C2=A0 =C2=A0ssl_certificate /usr/local/e= tc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed by = Certbot
>
>=C2=A0 =C2=A0 =C2=A0 79=C2=A0 =C2=A0 =C2=A0ssl_certificate_key /usr/loc= al/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed by = Certbot
>
>=C2=A0 =C2=A0 =C2=A0 80=C2=A0 =C2=A0 =C2=A0include /usr/local/etc/letse= ncrypt/options-ssl-nginx.conf; # managed by Certbot
>
>=C2=A0 =C2=A0 =C2=A0 81=C2=A0 =C2=A0 =C2=A0ssl_dhparam /usr/local/etc/l= etsencrypt/ssl-dhparams.pem; # managed by Certbot
>
>=C2=A0 =C2=A0 =C2=A0 82
>
>=C2=A0 =C2=A0 =C2=A0 83=C2=A0 =C2=A0 =C2=A0add_header X-Clacks-Overhead= "GNU Terry Pratchett";
>
>=C2=A0 =C2=A0 =C2=A0 84=C2=A0 =C2=A0 =C2=A0# add Strict-Transport-Secur= ity to prevent man in the middle attacks
>
>=C2=A0 =C2=A0 =C2=A0 85=C2=A0 =C2=A0 =C2=A0add_header Strict-Transport-= Security "max-age=3D15552000; includeSubDomains" always;
>
>=C2=A0 =C2=A0 =C2=A0 86=C2=A0 =C2=A0 =C2=A0#rewrite ^(.*) https://www.p= aulbeard.org$1 permanent; #+
>
>=C2=A0 =C2=A0 =C2=A0 87=C2=A0 =C2=A0 =C2=A0#return=C2=A0 =C2=A0 =C2=A0 = 301 https://$host$request_uri;
>
>=C2=A0 =C2=A0 =C2=A0 88
>
>=C2=A0 =C2=A0 =C2=A0 89
>
>=C2=A0 =C2=A0 =C2=A0 90=C2=A0 =C2=A0 =C2=A0root=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0/usr/local/www/;
>
>=C2=A0 =C2=A0 =C2=A0 91=C2=A0 =C2=A0 =C2=A0disable_symlinks off;
>
>=C2=A0 =C2=A0 =C2=A0 92
>
>=C2=A0 =C2=A0 =C2=A0 93 }
>
>
>



Maybe your certs are kinda jumbled up?


This is pretty accurate. I realized I = wasn't pulling a certificate for the base domain/host name, since i had= commented it out in the config. Seems like things have gotten jumbled inde= ed. I don't touch any of the config that certbot adds so I am wary of h= ow I can unmuddle it. I have since restored that but now I see what I think= is the real problem.=C2=A0

This is the full list = of certs I have=E2=80=A6I seem to have gotten host and domain mixed up here= , as these are hosts, not domains, and ideally should have just one certifi= cate for all of them. Some cleanup seems to be required.=C2=A0

Found the following certs:

=C2=A0 Certificate Name: cloud.paulbeard.org

=C2=A0 =C2=A0 Serial Number: 4bdb35a6e53= 08f47e7934453b6d1552a330

=C2=A0 =C2=A0 Key Type: RSA

=C2=A0 =C2=A0 Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org

=C2=A0 =C2=A0 Expiry Date: 2022-12-04 16= :14:05+00:00 (VALID: 82 days)

=C2=A0 =C2=A0 Certificate Path: /usr/loc= al/etc/letsencrypt/live/cloud.paulbeard.org/fullchain.pem

=C2=A0 =C2=A0 Private Key Path: /usr/loc= al/etc/letsencrypt/live/cloud.paulbeard.org/privkey.pem

=C2=A0 Certificate Name: paulbeard.org

=C2=A0 =C2=A0 Serial Number: 44c82383b1d= a739543404608a77c9174d79

=C2=A0 =C2=A0 Key Type: RSA

=C2=A0 =C2=A0 Domains: paulbeard.org

=C2=A0 =C2=A0 Expiry Date: 2022-11-11 10= :45:26+00:00 (VALID: 59 days)

=C2=A0 =C2=A0 Certificate Path: /usr/loc= al/etc/letsencrypt/live/paulbeard.org/fullchain.pem

=C2=A0 =C2=A0 Private Key Path: /usr/loc= al/etc/letsencrypt/live/paulbeard.org/privkey.pem

=C2=A0 Certificate Name: www.paulbeard.o= rg-0001

=C2=A0 =C2=A0 Serial Number: 4a865592d7d= 31d1465df0e7245eb88d9d13

=C2=A0 =C2=A0 Key Type: RSA

=C2=A0 =C2=A0 Domains: www.paulbeard.org

=C2=A0 =C2=A0 Expiry Date: 2022-12-10 23= :29:48+00:00 (VALID: 89 days)

=C2=A0 =C2=A0 Certificate Path: /usr/loc= al/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem

=C2=A0 =C2=A0 Private Key Path: /usr/loc= al/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem

=C2=A0 Certificate Name: www.paulbeard.org

=C2=A0 =C2=A0 Serial Number: 4a730b954fe= ad25d08fb8281c374c11014e

=C2=A0 =C2=A0 Key Type: RSA

=C2=A0 =C2=A0 Domains: cloud.paulbeard.org www.paulbeard.org

=C2=A0 =C2=A0 Expiry Date: 2022-12-10 21= :33:36+00:00 (VALID: 89 days)

=C2=A0 =C2=A0 Certificate Path: /usr/loc= al/etc/letsencrypt/live/www.paulbeard.org/fullchain.pem

=C2=A0 =C2=A0 Private Key Path: /usr/loc= al/etc/letsencrypt/live/www.paulbeard.org/privkey.pem


Some things about this are not making sen= se=E2=80=A6sometimes the wordpress pages will load but not always. Sometime= s different servers answer to the generic "paulbeard.org" URI (the cloud instance, for some reason, wou= ld be served). Something to do with=C2=A0=C2= =A0 =C2=A0 listen [::]:443 ssl http2;=C2=A0being set which makes no se= nse at all. I have removed it everywhere for now. IP6 traffic is far down m= y list of things to be bothered with.=C2=A0

My main issu= e seems to be URI rewriting that I can't seem to find in the config. I = get an error about 20 redirects and I don't see where that is happening= . The rewrites are being logged=E2=80=A6

2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten red= irect: "https://www.p= aulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTT= P/2.0", host: "paulbeard.org= ", referrer: "https://www.= paulbeard.org/"

2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewri= tten redirect: "https= ://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpr= ess/ HTTP/2.0", host: "paulbeard= .org", referrer: "http= s://www.paulbeard.org/"

2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewri= tten redirect: "https= ://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpr= ess/ HTTP/2.0", host: "paulbeard= .org", referrer: "http= s://www.paulbeard.org/"

2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "https= ://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpr= ess/ HTTP/2.0", host: "paulbeard= .org", referrer: "http= s://www.paulbeard.org/"

2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "https= ://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpr= ess/ HTTP/2.0", host: "paulbeard= .org", referrer: "http= s://www.paulbeard.org/"

2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "https= ://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpr= ess/ HTTP/2.0", host: "paulbeard= .org", referrer: "http= s://www.paulbeard.org/"

2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "https= ://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpr= ess/ HTTP/2.0", host: "paulbeard= .org", referrer: "http= s://www.paulbeard.org/"


This is the paulbeard.org stanza:=C2=A0

=C2=A0 =C2=A0 =C2=A074 =C2=A0 =C2=A0 server= {

=C2=A0=C2= =A0 =C2=A0 75 =C2=A0 =C2= =A0 listen 443 ssl http2;

=C2=A0=C2= =A0 =C2=A0 76 =C2=A0 =C2= =A0 server_name=C2=A0 paulbeard.org;

=C2=A0=C2= =A0 =C2=A0 77 =C2=A0 =C2= =A0 root =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 /usr/local/www/;

=C2=A0=C2= =A0 =C2=A0 78 =C2=A0 =C2= =A0 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed b= y Certbot

=C2=A0=C2= =A0 =C2=A0 79 =C2=A0 =C2= =A0 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed b= y Certbot

=C2=A0=C2= =A0 =C2=A0 80 =C2=A0 =C2= =A0 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # man= aged by Certbot

=C2=A0=C2= =A0 =C2=A0 81 =C2=A0 =C2= =A0 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # manag= ed by Certbot

=C2=A0=C2= =A0 =C2=A0 82

=C2=A0=C2= =A0 =C2=A0 83 =C2=A0 =C2= =A0 add_header X-Clacks-Overhead "GNU Terry Pratchett";

=C2=A0=C2= =A0 =C2=A0 84 =C2=A0 =C2= =A0 # add Strict-Transport-Security to prevent man in the middle att= acks

=C2=A0=C2= =A0 =C2=A0 85 =C2=A0 =C2= =A0 add_header Strict-Transport-Security "max-age=3D15552000; i= ncludeSubDomains" always;

=C2=A0=C2= =A0 =C2=A0 86 =C2=A0 =C2= =A0 rewrite ^(.*) https://www.= paulbeard.org$1 permanent;

=C2=A0=C2= =A0 =C2=A0 87 =C2=A0 =C2= =A0 #return=C2=A0 =C2=A0= =C2=A0 301 https://$host$request_uri;

=C2=A0=C2= =A0 =C2=A0 88

=C2=A0=C2= =A0 =C2=A0 89=C2=A0 =C2= =A0

=C2=A0=C2= =A0 =C2=A0 90 =C2=A0 =C2= =A0 disable_symlinks off;

=C2=A0=C2= =A0 =C2=A0 91

=C2=A0=C2= =A0 =C2=A0 92 }


The only active thing th= at looks like a rewrite is on line 86 and if I comment that out, the php pa= ges are downloaded, rather than parsed and displayed. That's not what I= want.=C2=A0

I have no idea how this got so messed= up. I am working from a config that worked 3-4 days ago.=C2=A0 I tried rip= ping out that stanza but something somewhere depends on it.=C2=A0
-- <= br>
Paul Beard / www.paulbeard.org/
--0000000000002ea8b005e8838150--