Site Navigation

Date:      Mon, 12 Sep 2022 11:57:23 +0930
From:      Ty John <ty-ml@eye-of-odin.com>
To:        "paul beard" <paulbeard@gmail.com>
Cc:        "freebsd-questions" <freebsd-questions@freebsd.org>
Subject:   Re: any nginx/letsencrypt experts out there?
Message-ID:  <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com>
In-Reply-To: <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com>
References:  <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

------=_Part_1219983_2142914477.1662949643122
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

That order should be fine. The more specific locations should be listed fir=
st which is what you have. The redirect will trigger a new request which wi=
ll match the first stanza.



Anyway, it looks fine to me as long as the certs themselves are right.

I just checked the certs on https://paulbeard.org, https://www.paulbeard.or=
g=C2=A0and https://cloud.paulbeard.org=C2=A0and they all seem fine to me.

I suspect it might be a browser issue as you mentioned. What happens in saf=
ari?








---- On Mon, 12 Sep 2022 10:53:29 +0930 paul beard <paulbeard@gmail.com> wr=
ote ---



I am using certbot=C2=A0renew for renewals.=C2=A0



This is part of the stanza=C2=A0for the www. listener. Not sure why it's fi=
rst=E2=80=A6logically I think the bare non-www should be first, and redirec=
t=C2=A0to this but I never said I knew what I was doing. At the moment, all=
 is well at the root level but I seem to have buggered something up with ho=
w /wordpress is handled.=C2=A0



server {

=C2=A0 =C2=A0 listen 443 ssl http2;

=C2=A0 =C2=A0 listen [::]:443 ssl http2;

=C2=A0 =C2=A0 ssl_certificate /usr/local/etc/letsencrypt/live/http://www.pa=
ulbeard.org/fullchain.pem; # managed by Certbot

=C2=A0 =C2=A0 ssl_certificate_key /usr/local/etc/letsencrypt/live/http://ww=
w.paulbeard.org/privkey.pem; # managed by Certbot

=C2=A0 =C2=A0 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # =
managed by Certbot

=C2=A0 =C2=A0 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # ma=
naged by Certbot



=C2=A0 =C2=A0 add_header X-Clacks-Overhead "GNU Terry Pratchett";



=C2=A0 =C2=A0 # add Strict-Transport-Security to prevent man in the middle =
attacks

=C2=A0 =C2=A0 add_header Strict-Transport-Security "max-age=3D15552000; inc=
ludeSubDomains" always;



=C2=A0 =C2=A0 #server_name=C2=A0 http://www.paulbeard.org http://paulbeard.=
org;

=C2=A0 =C2=A0 server_name=C2=A0 http://www.paulbeard.org;

=C2=A0 =C2=A0 root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/www/;





This is the complete stanza for the non-www stanza:=C2=A0


=C2=A0 =C2=A0=C2=A0server {

=C2=A0 =C2=A0 listen 443 ssl http2;

=C2=A0 =C2=A0 listen [::]:443 ssl http2;

=C2=A0 =C2=A0 ssl_certificate /usr/local/etc/letsencrypt/live/http://paulbe=
ard.org/fullchain.pem; # managed by Certbot

=C2=A0 =C2=A0 ssl_certificate_key /usr/local/etc/letsencrypt/live/http://pa=
ulbeard.org/privkey.pem; # managed by Certbot

=C2=A0 =C2=A0 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # =
managed by Certbot

=C2=A0 =C2=A0 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # ma=
naged by Certbot



=C2=A0 =C2=A0 add_header X-Clacks-Overhead "GNU Terry Pratchett";

=C2=A0 =C2=A0 # add Strict-Transport-Security to prevent man in the middle =
attacks

=C2=A0 =C2=A0 add_header Strict-Transport-Security "max-age=3D15552000; inc=
ludeSubDomains" always;

=C2=A0 =C2=A0 server_name=C2=A0 http://paulbeard.org;

=C2=A0 =C2=A0 rewrite ^(.*) https://www.paulbeard.org$1 permanent;

=C2=A0 =C2=A0 #return=C2=A0 =C2=A0 =C2=A0 301=20



=C2=A0 =C2=A0 if ($request ~* http://paulbeard.org) {

=C2=A0 =C2=A0 return 301 https://www.paulbeard.org;

=C2=A0 =C2=A0 }



=C2=A0 =C2=A0 root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/www/;

=C2=A0 =C2=A0 disable_symlinks off;



}




and these are the currently non-op wordpress bits.=C2=A0



location /wordpress {

=C2=A0 =C2=A0 try_files $uri /wordpress/index.php$is_args$args;

=C2=A0 =C2=A0 index index.php;

=C2=A0 =C2=A0 }

=C2=A0=C2=A0 =C2=A0

=C2=A0 =C2=A0 location /wordpress/wp-admin/ {

=C2=A0 =C2=A0 allow http://192.168.0./24;

=C2=A0 =C2=A0 deny all;

=C2=A0 =C2=A0 try_files $uri /wordpress/wp-admin/index.php;

=C2=A0 =C2=A0 index index.php;

=C2=A0 =C2=A0 error_page 403 =3D @goaway;

=C2=A0 =C2=A0 }









On Sun, Sep 11, 2022 at 6:12 PM Ty John <mailto:ty-ml@eye-of-odin.com> wrot=
e:








--=20

Paul Beard / http://www.paulbeard.org/




Can you share relevant snippets from your nginx.conf as well as the command=
 you are using to issue/renew certs?



How are you verifying after the renewal? It's OK to change to a wildcard bu=
t you won't be able to do an automatic verification such as the http method=
 where letsencrypt checks the <http://yourdomain.com>/.well-known/foobar on=
 port 80. Automation works much better by specifying multiple domains on a =
single cert with the subsequent domains being SANs.



For example, I use acme.sh. You can use as many -d options as you like and =
they will be added as SANs to a single certificate.



acme.sh --issue -d http://www.mydomain.com -d http://cloud.mydomain.com -w =
/usr/share/nginx/html


















---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard <mailto:paulbeard@gmail.=
com> wrote ---



Something seems to have gone wrong with a working nginx/letsencrypt install=
ation. I suspect LE has changed some things while this system was running 1=
1.4 and the update to 12.3 brought those changes to light.=C2=A0



I have a www and cloud server=C2=A0under a single domain and a certificate =
for each. Not sure that's right but I think that's what LE/certbot came up =
with from reading nginx.conf (ie, it was setup and worked that way but migh=
t have always been wrong and I am just now catching up with that). The clou=
d.domain server loads just fine but the www.domain will not. There is addit=
ional confusion=C2=A0over www vs bare (non-www).domain. Again, that worked =
before=C2=A0w some rewriting and whatnot but seems not to work now. Request=
s=C2=A0for www. are now forced to the non-www listener and all the necessar=
y bits (wordpress, etc) are in the www. server stanza.=C2=A0



Also I can get openssl on the command line to work fine so there is a chanc=
e it's some goofy Apple Safari mishegas that needs sorting out.=C2=A0



Is it better just have a single cert for *.domain? That makes more sense to=
 me, not sure how this other situation came to be.=C2=A0













--=20

Paul Beard / http://www.paulbeard.org/
------=_Part_1219983_2142914477.1662949643122
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>=
<meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"></h=
ead><body ><div style=3D"font-family: Verdana, Arial, Helvetica, sans-serif=
; font-size: 10pt;"><div style=3D"font-family: Verdana, Arial, Helvetica, s=
ans-serif;font-size: 10.0pt;"><div>That order should be fine. The more spec=
ific locations should be listed first which is what you have. The redirect =
will trigger a new request which will match the first stanza.<br></div><div=
><br></div><div>Anyway, it looks fine to me as long as the certs themselves=
 are right.<br></div><div>I just checked the certs on <a target=3D"_blank" =
href=3D"https://paulbeard.org">https://paulbeard.org</a>, <a target=3D"_bla=
nk" href=3D"https://www.paulbeard.org">https://www.paulbeard.org</a>&nbsp;a=
nd <a target=3D"_blank" href=3D"https://cloud.paulbeard.org">https://cloud.=
paulbeard.org</a>&nbsp;and they all seem fine to me.<br></div><div>I suspec=
t it might be a browser issue as you mentioned. What happens in safari?<br>=
</div><div><br></div><div><br></div><div class=3D"x_146242162zmail_extra_hr=
" style=3D"border-top: 1.0px solid rgb(204,204,204);min-height: 0.0px;margi=
n-top: 10.0px;margin-bottom: 10.0px;line-height: 0.0px;display: none;"><br>=
</div><div class=3D"x_146242162zmail_extra" style=3D"clear: both;"><div><br=
></div><div id=3D"x_1462421621">---- On Mon, 12 Sep 2022 10:53:29 +0930 <b>=
paul beard &lt;paulbeard@gmail.com&gt;</b> wrote ---<br></div><div><br></di=
v><blockquote style=3D"margin: 0.0px;"><div><div dir=3D"ltr"><div>I am usin=
g certbot&nbsp;renew for renewals.&nbsp;<br></div><div><br></div><div>This =
is part of the stanza&nbsp;for the www. listener. Not sure why it's first=
=E2=80=A6logically I think the bare non-www should be first, and redirect&n=
bsp;to this but I never said I knew what I was doing. At the moment, all is=
 well at the root level but I seem to have buggered something up with how /=
wordpress is handled.&nbsp;<br></div><div><br></div><div><p style=3D"margin=
: 0.0px;font-stretch: normal;line-height: normal;"><span class=3D"colour" s=
tyle=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo=
"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch:=
 normal; line-height: normal;"><span>server {</span></span></span></span><b=
r></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;">=
<span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" st=
yle=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; ma=
rgin: 0px; font-stretch: normal; line-height: normal;"><span><span class=3D=
"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>listen 443 =
ssl http2;</span></span></span></span><br></p><p style=3D"margin: 0.0px;fon=
t-stretch: normal;line-height: normal;"><span class=3D"colour" style=3D"col=
or:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span cla=
ss=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; li=
ne-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-converted=
-space">&nbsp; &nbsp; </span>listen [::]:443 ssl http2;</span></span></span=
></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height:=
 normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=
=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-si=
ze: 11px; margin: 0px; font-stretch: normal; line-height: normal;"><span><s=
pan class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span=
>ssl_certificate /usr/local/etc/letsencrypt/live/<a href=3D"http://www.paul=
beard.org/fullchain.pem" target=3D"_blank">www.paulbeard.org/fullchain.pem<=
/a>; # managed by Certbot</span></span></span></span><br></p><p style=3D"ma=
rgin: 0.0px;font-stretch: normal;line-height: normal;"><span class=3D"colou=
r" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:M=
enlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stre=
tch: normal; line-height: normal;"><span><span class=3D"x_-1811234007gmail-=
Apple-converted-space">&nbsp; &nbsp; </span>ssl_certificate_key /usr/local/=
etc/letsencrypt/live/<a href=3D"http://www.paulbeard.org/privkey.pem" targe=
t=3D"_blank">www.paulbeard.org/privkey.pem</a>; # managed by Certbot</span>=
</span></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal=
;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)">=
<span class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=
=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height: normal=
;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &n=
bsp; </span>include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # ma=
naged by Certbot</span></span></span></span><br></p><p style=3D"margin: 0.0=
px;font-stretch: normal;line-height: normal;"><span class=3D"colour" style=
=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><s=
pan class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: nor=
mal; line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-co=
nverted-space">&nbsp; &nbsp; </span>ssl_dhparam /usr/local/etc/letsencrypt/=
ssl-dhparams.pem; # managed by Certbot</span></span></span></span><br></p><=
p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;min-heigh=
t: 13.0px;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=
=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-si=
ze: 11px; margin: 0px; font-stretch: normal; line-height: normal; min-heigh=
t: 13px;"><span></span><br></span></span></span></p><p style=3D"margin: 0.0=
px;font-stretch: normal;line-height: normal;"><span class=3D"colour" style=
=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><s=
pan class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: nor=
mal; line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-co=
nverted-space">&nbsp; &nbsp; </span>add_header X-Clacks-Overhead "GNU Terry=
 Pratchett";</span></span></span></span><br></p><p style=3D"margin: 0.0px;f=
ont-stretch: normal;line-height: normal;min-height: 13.0px;"><span class=3D=
"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-fa=
mily:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; fon=
t-stretch: normal; line-height: normal; min-height: 13px;"><span></span><br=
></span></span></span></p><p style=3D"margin: 0.0px;font-stretch: normal;li=
ne-height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><sp=
an class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D=
"font-size: 11px; margin: 0px; font-stretch: normal; line-height: normal;">=
<span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp=
; </span># add Strict-Transport-Security to prevent man in the middle attac=
ks</span></span></span></span><br></p><p style=3D"margin: 0.0px;font-stretc=
h: normal;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0=
, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"si=
ze" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-heigh=
t: normal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">=
&nbsp; &nbsp; </span>add_header Strict-Transport-Security "max-age=3D155520=
00; includeSubDomains" always;</span></span></span></span><br></p><p style=
=3D"margin: 0.0px;font-stretch: normal;line-height: normal;min-height: 13.0=
px;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"fon=
t" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11p=
x; margin: 0px; font-stretch: normal; line-height: normal; min-height: 13px=
;"><span></span><br></span></span></span></p><p style=3D"margin: 0.0px;font=
-stretch: normal;line-height: normal;"><span class=3D"colour" style=3D"colo=
r:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span clas=
s=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; lin=
e-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-=
space">&nbsp; &nbsp; </span>#server_name<span class=3D"x_-1811234007gmail-A=
pple-converted-space">&nbsp; </span><a href=3D"http://www.paulbeard.org" ta=
rget=3D"_blank">www.paulbeard.org</a> <a href=3D"http://paulbeard.org" targ=
et=3D"_blank">paulbeard.org</a>;</span></span></span></span><br></p><p styl=
e=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span class=
=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font=
-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; =
font-stretch: normal; line-height: normal;"><span><span class=3D"x_-1811234=
007gmail-Apple-converted-space">&nbsp; &nbsp; </span>server_name<span class=
=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; </span><a href=3D"http=
://www.paulbeard.org" target=3D"_blank">www.paulbeard.org</a>;</span></span=
></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-=
height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span =
class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"fo=
nt-size: 11px; margin: 0px; font-stretch: normal; line-height: normal;"><sp=
an><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; <=
/span>root <span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; =
&nbsp; &nbsp; &nbsp; &nbsp; </span>/usr/local/www/;</span></span></span></s=
pan><br></p><div><br></div><div><br></div><div>This is the complete stanza =
for the non-www stanza:&nbsp;<br></div></div><div><p style=3D"margin: 0.0px=
;font-stretch: normal;line-height: normal;"><span class=3D"colour" style=3D=
"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span=
 class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal=
; line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-conve=
rted-space">&nbsp; &nbsp;&nbsp;</span>server {</span></span></span></span><=
br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"=
><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" s=
tyle=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; m=
argin: 0px; font-stretch: normal; line-height: normal;"><span><span class=
=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>listen 4=
43 ssl http2;</span></span></span></span><br></p><p style=3D"margin: 0.0px;=
font-stretch: normal;line-height: normal;"><span class=3D"colour" style=3D"=
color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span =
class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal;=
 line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-conver=
ted-space">&nbsp; &nbsp; </span>listen [::]:443 ssl http2;</span></span></s=
pan></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-heig=
ht: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span clas=
s=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-s=
ize: 11px; margin: 0px; font-stretch: normal; line-height: normal;"><span><=
span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </spa=
n>ssl_certificate /usr/local/etc/letsencrypt/live/<a href=3D"http://paulbea=
rd.org/fullchain.pem" target=3D"_blank">paulbeard.org/fullchain.pem</a>; # =
managed by Certbot</span></span></span></span><br></p><p style=3D"margin: 0=
.0px;font-stretch: normal;line-height: normal;"><span class=3D"colour" styl=
e=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><=
span class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: no=
rmal; line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-c=
onverted-space">&nbsp; &nbsp; </span>ssl_certificate_key /usr/local/etc/let=
sencrypt/live/<a href=3D"http://paulbeard.org/privkey.pem" target=3D"_blank=
">paulbeard.org/privkey.pem</a>; # managed by Certbot</span></span></span><=
/span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height: n=
ormal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"=
font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: =
11px; margin: 0px; font-stretch: normal; line-height: normal;"><span><span =
class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>inc=
lude /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbo=
t</span></span></span></span><br></p><p style=3D"margin: 0.0px;font-stretch=
: normal;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0,=
 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"siz=
e" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height=
: normal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&=
nbsp; &nbsp; </span>ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem=
; # managed by Certbot</span></span></span></span><br></p><p style=3D"margi=
n: 0.0px;font-stretch: normal;line-height: normal;min-height: 13.0px;"><spa=
n class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=
=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margi=
n: 0px; font-stretch: normal; line-height: normal; min-height: 13px;"><span=
></span><br></span></span></span></p><p style=3D"margin: 0.0px;font-stretch=
: normal;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0,=
 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"siz=
e" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height=
: normal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&=
nbsp; &nbsp; </span>add_header X-Clacks-Overhead "GNU Terry Pratchett";</sp=
an></span></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: nor=
mal;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0=
)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" st=
yle=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height: nor=
mal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp;=
 &nbsp; </span># add Strict-Transport-Security to prevent man in the middle=
 attacks</span></span></span></span><br></p><p style=3D"margin: 0.0px;font-=
stretch: normal;line-height: normal;"><span class=3D"colour" style=3D"color=
:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=
=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line=
-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-s=
pace">&nbsp; &nbsp; </span>add_header Strict-Transport-Security "max-age=3D=
15552000; includeSubDomains" always;</span></span></span></span><br></p><p =
style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span cla=
ss=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"fo=
nt-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px=
; font-stretch: normal; line-height: normal;"><span><span class=3D"x_-18112=
34007gmail-Apple-converted-space">&nbsp; &nbsp; </span>server_name<span cla=
ss=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; </span><a href=3D"ht=
tp://paulbeard.org" target=3D"_blank">paulbeard.org</a>;</span></span></spa=
n></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height=
: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=
=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-si=
ze: 11px; margin: 0px; font-stretch: normal; line-height: normal;"><span><s=
pan class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span=
>rewrite ^(.*) <a href=3D"https://www.paulbeard.org" target=3D"_blank">http=
s://www.paulbeard.org</a>$1 permanent;</span></span></span></span><br></p><=
p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span c=
lass=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"=
font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0=
px; font-stretch: normal; line-height: normal;"><span><span class=3D"x_-181=
1234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>#return<span class=
=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; &nbsp; </span>3=
01 <a target=3D"_blank">https://$host$request_uri;</a></span></span></span>=
</span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height: =
normal;min-height: 13.0px;"><span class=3D"colour" style=3D"color:rgb(0, 0,=
 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" =
style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height: n=
ormal; min-height: 13px;"><span></span><br></span></span></span></p><p styl=
e=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span class=
=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font=
-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; =
font-stretch: normal; line-height: normal;"><span><span class=3D"x_-1811234=
007gmail-Apple-converted-space">&nbsp; &nbsp; </span>if ($request ~* <a hre=
f=3D"http://paulbeard.org" target=3D"_blank">http://paulbeard.org</a>) {</s=
pan></span></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: no=
rmal;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, =
0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" s=
tyle=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height: no=
rmal;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp=
; &nbsp; </span>return 301 <a href=3D"https://www.paulbeard.org" target=3D"=
_blank">https://www.paulbeard.org</a>;</span></span></span></span><br></p><=
p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span c=
lass=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"=
font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0=
px; font-stretch: normal; line-height: normal;"><span><span class=3D"x_-181=
1234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>}</span></span></s=
pan></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-heig=
ht: normal;min-height: 13.0px;"><span class=3D"colour" style=3D"color:rgb(0=
, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"si=
ze" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-heigh=
t: normal; min-height: 13px;"><span></span><br></span></span></span></p><p =
style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span cla=
ss=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"fo=
nt-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px=
; font-stretch: normal; line-height: normal;"><span><span class=3D"x_-18112=
34007gmail-Apple-converted-space">&nbsp; &nbsp; </span>root <span class=3D"=
x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp=
; </span>/usr/local/www/;</span></span></span></span><br></p><p style=3D"ma=
rgin: 0.0px;font-stretch: normal;line-height: normal;"><span class=3D"colou=
r" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:M=
enlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stre=
tch: normal; line-height: normal;"><span><span class=3D"x_-1811234007gmail-=
Apple-converted-space">&nbsp; &nbsp; </span>disable_symlinks off;</span></s=
pan></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;li=
ne-height: normal;min-height: 13.0px;"><span class=3D"colour" style=3D"colo=
r:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span clas=
s=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; lin=
e-height: normal; min-height: 13px;"><span></span><br></span></span></span>=
</p><p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><s=
pan class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" styl=
e=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; marg=
in: 0px; font-stretch: normal; line-height: normal;"><span>}</span></span><=
/span></span><br></p><div><br></div></div><div>and these are the currently =
non-op wordpress bits.&nbsp;<br></div><div><br></div><div><p style=3D"margi=
n: 0.0px;font-stretch: normal;line-height: normal;"><span class=3D"colour" =
style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menl=
o"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch=
: normal; line-height: normal;"><span>location /wordpress {</span></span></=
span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-hei=
ght: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span cla=
ss=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-=
size: 11px; margin: 0px; font-stretch: normal; line-height: normal;"><span>=
<span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </sp=
an>try_files $uri /wordpress/index.php$is_args$args;</span></span></span></=
span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-height: no=
rmal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"f=
ont" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 1=
1px; margin: 0px; font-stretch: normal; line-height: normal;"><span><span c=
lass=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>inde=
x index.php;</span></span></span></span><br></p><p style=3D"margin: 0.0px;f=
ont-stretch: normal;line-height: normal;"><span class=3D"colour" style=3D"c=
olor:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span c=
lass=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; =
line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-convert=
ed-space">&nbsp; &nbsp; </span>}</span></span></span></span><br></p><p styl=
e=3D"margin: 0.0px;font-stretch: normal;line-height: normal;min-height: 13.=
0px;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"fo=
nt" style=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11=
px; margin: 0px; font-stretch: normal; line-height: normal; min-height: 13p=
x;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp;&n=
bsp; &nbsp;</span></span></span></span></span><br></p><p style=3D"margin: 0=
.0px;font-stretch: normal;line-height: normal;"><span class=3D"colour" styl=
e=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><=
span class=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: no=
rmal; line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-c=
onverted-space">&nbsp; &nbsp; </span>location /wordpress/wp-admin/ {</span>=
</span></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal=
;line-height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)">=
<span class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=
=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height: normal=
;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &n=
bsp; </span>allow <a href=3D"http://192.168.0./24" target=3D"_blank">192.16=
8.0./24</a>;</span></span></span></span><br></p><p style=3D"margin: 0.0px;f=
ont-stretch: normal;line-height: normal;"><span class=3D"colour" style=3D"c=
olor:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span c=
lass=3D"size" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; =
line-height: normal;"><span><span class=3D"x_-1811234007gmail-Apple-convert=
ed-space">&nbsp; &nbsp; </span>deny all;</span></span></span></span><br></p=
><p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span=
 class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=
=3D"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margi=
n: 0px; font-stretch: normal; line-height: normal;"><span><span class=3D"x_=
-1811234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>try_files $uri=
 /wordpress/wp-admin/index.php;</span></span></span></span><br></p><p style=
=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span class=3D=
"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D"font-fa=
mily:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: 0px; fon=
t-stretch: normal; line-height: normal;"><span><span class=3D"x_-1811234007=
gmail-Apple-converted-space">&nbsp; &nbsp; </span>index index.php;</span></=
span></span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;l=
ine-height: normal;"><span class=3D"colour" style=3D"color:rgb(0, 0, 0)"><s=
pan class=3D"font" style=3D"font-family:Menlo"><span class=3D"size" style=
=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-height: normal=
;"><span><span class=3D"x_-1811234007gmail-Apple-converted-space">&nbsp; &n=
bsp; </span>error_page 403 =3D @goaway;</span></span></span></span><br></p>=
<p style=3D"margin: 0.0px;font-stretch: normal;line-height: normal;"><span =
class=3D"colour" style=3D"color:rgb(0, 0, 0)"><span class=3D"font" style=3D=
"font-family:Menlo"><span class=3D"size" style=3D"font-size: 11px; margin: =
0px; font-stretch: normal; line-height: normal;"><span><span class=3D"x_-18=
11234007gmail-Apple-converted-space">&nbsp; &nbsp; </span>}</span></span></=
span></span><br></p><p style=3D"margin: 0.0px;font-stretch: normal;line-hei=
ght: normal;min-height: 13.0px;"><span class=3D"colour" style=3D"color:rgb(=
0, 0, 0)"><span class=3D"font" style=3D"font-family:Menlo"><span class=3D"s=
ize" style=3D"font-size: 11px; margin: 0px; font-stretch: normal; line-heig=
ht: normal; min-height: 13px;"><span></span><br></span></span></span></p><d=
iv><br></div></div></div><div><br></div><div class=3D"x_-1811234007gmail_qu=
ote"><div dir=3D"ltr" class=3D"x_-1811234007gmail_attr">On Sun, Sep 11, 202=
2 at 6:12 PM Ty John &lt;<a href=3D"mailto:ty-ml@eye-of-odin.com" target=3D=
"_blank">ty-ml@eye-of-odin.com</a>&gt; wrote:<br></div><div id=3D"x_1462421=
62zmail_block"><br></div></div><div><br></div><div><br></div><div>-- <br></=
div><div dir=3D"ltr" class=3D"x_-1811234007gmail_signature">Paul Beard / <a=
 href=3D"http://www.paulbeard.org/" target=3D"_blank">www.paulbeard.org/</a=
><br></div></div><blockquote class=3D"x_-1811234007gmail_quote" style=3D"ma=
rgin: 0.0px 0.0px 0.0px 0.8ex;border-left-width: 1.0px;border-left-style: s=
olid;border-left-color: rgb(204,204,204);padding-left: 1.0ex;"><div><u></u>=
<br></div><div><div style=3D"font-family: Verdana, Arial, Helvetica, sans-s=
erif;font-size: 10.0pt;"><div>Can you share relevant snippets from your ngi=
nx.conf as well as the command you are using to issue/renew certs?<br></div=
><div><br></div><div>How are you verifying after the renewal? It's OK to ch=
ange to a wildcard but you won't be able to do an automatic verification su=
ch as the http method where letsencrypt checks the &lt;<a href=3D"http://yo=
urdomain.com" target=3D"_blank">yourdomain.com</a>&gt;/.well-known/foobar o=
n port 80. Automation works much better by specifying multiple domains on a=
 single cert with the subsequent domains being SANs.<br></div><div><br></di=
v><div>For example, I use acme.sh. You can use as many -d options as you li=
ke and they will be added as SANs to a single certificate.<br></div><div><b=
r></div><div>acme.sh --issue -d <a href=3D"http://www.mydomain.com" target=
=3D"_blank">www.mydomain.com</a> -d <a href=3D"http://cloud.mydomain.com" t=
arget=3D"_blank">cloud.mydomain.com</a> -w /usr/share/nginx/html<br></div><=
div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><=
div><br></div><div><br></div><div style=3D"border-top-width: 1.0px;border-t=
op-style: solid;border-top-color: rgb(204,204,204);min-height: 0.0px;margin=
-top: 10.0px;margin-bottom: 10.0px;line-height: 0.0px;display: none;"><br><=
/div><div style=3D"clear: both;"><div><br></div><div id=3D"x_-1811234007m_6=
6449028810348743471">---- On Mon, 12 Sep 2022 10:27:09 +0930 <b>paul beard =
&lt;<a href=3D"mailto:paulbeard@gmail.com" target=3D"_blank">paulbeard@gmai=
l.com</a>&gt;</b> wrote ---<br></div><div><br></div><blockquote style=3D"ma=
rgin: 0.0px;"><div><div dir=3D"ltr"><div>Something seems to have gone wrong=
 with a working nginx/letsencrypt installation. I suspect LE has changed so=
me things while this system was running 11.4 and the update to 12.3 brought=
 those changes to light.&nbsp;<br></div><div><br></div><div>I have a www an=
d cloud server&nbsp;under a single domain and a certificate for each. Not s=
ure that's right but I think that's what LE/certbot came up with from readi=
ng nginx.conf (ie, it was setup and worked that way but might have always b=
een wrong and I am just now catching up with that). The cloud.domain server=
 loads just fine but the www.domain will not. There is additional confusion=
&nbsp;over www vs bare (non-www).domain. Again, that worked before&nbsp;w s=
ome rewriting and whatnot but seems not to work now. Requests&nbsp;for www.=
 are now forced to the non-www listener and all the necessary bits (wordpre=
ss, etc) are in the www. server stanza.&nbsp;<br></div><div><br></div><div>=
Also I can get openssl on the command line to work fine so there is a chanc=
e it's some goofy Apple Safari mishegas that needs sorting out.&nbsp;<br></=
div><div><br></div><div>Is it better just have a single cert for *.domain? =
That makes more sense to me, not sure how this other situation came to be.&=
nbsp;<br></div><div><br></div><div><br></div><div><br></div><div><br></div>=
<div><div><br></div><div><br></div><div>-- <br></div><div dir=3D"ltr">Paul =
Beard / <a href=3D"http://www.paulbeard.org/" target=3D"_blank">www.paulbea=
rd.org/</a><br></div></div></div></div></blockquote></div><div><br></div></=
div><div><br></div></div></blockquote></blockquote></div><div><br></div></d=
iv></div><br></body></html>
------=_Part_1219983_2142914477.1662949643122--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1832f85d371.10bae82d3411853.462587170353998748>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact