Date: Tue, 13 Sep 2022 00:29:43 +0000 From: Waitman Gobble <gobble.wa@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAFuo_fxb0Tb5FRSbBPLD-XnjMgAUp2nb-k7sUxVD2f7doOmQiw@mail.gmail.com> In-Reply-To: <CAMtcK2qSoKNMZHQUfUaCQoVEN3-y-KOTX=d_9QZsmDYQ%2BRw-tA@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com> <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com> <CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg@mail.gmail.com> <CAMtcK2qFcNaqJy1sQhqpzDTQN=bfZ3SCyqNa%2BbE0xwwZM5xL5g@mail.gmail.com> <CAMtcK2qSoKNMZHQUfUaCQoVEN3-y-KOTX=d_9QZsmDYQ%2BRw-tA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 12, 2022 at 11:46 PM paul beard <paulbeard@gmail.com> wrote: > > > > On Mon, Sep 12, 2022 at 11:45 AM paul beard <paulbeard@gmail.com> wrote: >> >> >> >> On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com> wro= te: >>> >>> On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> wrote: >>> > >>> > >>> > >>> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrot= e: >>> >> >>> >> >>> >> >>> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrot= e: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >>> >>> >>> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> w= rote: >>> >>> > > >>> >>> > > That order should be fine. The more specific locations should = be listed first which is what you have. The redirect will trigger a new req= uest which will match the first stanza. >>> >>> > > >>> >>> > > Anyway, it looks fine to me as long as the certs themselves ar= e right. >>> >>> > > I just checked the certs on https://paulbeard.org, https://www= .paulbeard.org and https://cloud.paulbeard.org and they all seem fine to me= . >>> >>> > > I suspect it might be a browser issue as you mentioned. What h= appens in safari? >>> >>> >>> >> >>> > >>> > Hmm. So Safari is still having issues. It is able to load the root as= www.paulbeard.org but not without it. And the link to wordpress explicitly= uses www but it gets rewritten without and then fails for lack of a secure= connection. I'll need to track down how that rewriting is happening. Who k= new Safari was so rigorous? >>> > >>> > This is the unadorned/non-www stanza: do I even need that in the year= 2022? >>> > >>> > 71 server { >>> > >>> > 72 #listen 443 ssl http2; >>> > >>> > 73 listen [::]:443 ssl http2; >>> > >>> > 74 server_name paulbeard.org; >>> > >>> > 75 # if ($request ~* https://paulbeard.org) { >>> > >>> > 76 # return 301 https://www.paulbeard.org; >>> > >>> > 77 # } >>> > >>> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard= .org/fullchain.pem; # managed by Certbot >>> > >>> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulb= eard.org/privkey.pem; # managed by Certbot >>> > >>> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf= ; # managed by Certbot >>> > >>> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; = # managed by Certbot >>> > >>> > 82 >>> > >>> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; >>> > >>> > 84 # add Strict-Transport-Security to prevent man in the mid= dle attacks >>> > >>> > 85 add_header Strict-Transport-Security "max-age=3D15552000;= includeSubDomains" always; >>> > >>> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ >>> > >>> > 87 #return 301 https://$host$request_uri; >>> > >>> > 88 >>> > >>> > 89 >>> > >>> > 90 root /usr/local/www/; >>> > >>> > 91 disable_symlinks off; >>> > >>> > 92 >>> > >>> > 93 } >>> > >>> > >>> > >>> >>> >>> >>> Maybe your certs are kinda jumbled up? >>> >> >> This is pretty accurate. I realized I wasn't pulling a certificate for t= he base domain/host name, since i had commented it out in the config. Seems= like things have gotten jumbled indeed. I don't touch any of the config th= at certbot adds so I am wary of how I can unmuddle it. I have since restore= d that but now I see what I think is the real problem. >> >> This is the full list of certs I have=E2=80=A6I seem to have gotten host= and domain mixed up here, as these are hosts, not domains, and ideally sho= uld have just one certificate for all of them. Some cleanup seems to be req= uired. >> >> Found the following certs: >> >> Certificate Name: cloud.paulbeard.org >> >> Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330 >> >> Key Type: RSA >> >> Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org >> >> Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/cloud.paulbeard.or= g/fullchain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/cloud.paulbeard.or= g/privkey.pem >> >> Certificate Name: paulbeard.org >> >> Serial Number: 44c82383b1da739543404608a77c9174d79 >> >> Key Type: RSA >> >> Domains: paulbeard.org >> >> Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/paulbeard.org/full= chain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/paulbeard.org/priv= key.pem >> >> Certificate Name: www.paulbeard.org-0001 >> >> Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13 >> >> Key Type: RSA >> >> Domains: www.paulbeard.org >> >> Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org-= 0001/fullchain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org-= 0001/privkey.pem >> >> Certificate Name: www.paulbeard.org >> >> Serial Number: 4a730b954fead25d08fb8281c374c11014e >> >> Key Type: RSA >> >> Domains: cloud.paulbeard.org www.paulbeard.org >> >> Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org/= fullchain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org/= privkey.pem > > > Some things about this are not making sense=E2=80=A6sometimes the wordpre= ss pages will load but not always. Sometimes different servers answer to th= e generic "paulbeard.org" URI (the cloud instance, for some reason, would b= e served). Something to do with listen [::]:443 ssl http2; being set wh= ich makes no sense at all. I have removed it everywhere for now. IP6 traffi= c is far down my list of things to be bothered with. > > My main issue seems to be URI rewriting that I can't seem to find in the = config. I get an error about 20 redirects and I don't see where that is hap= pening. The rewrites are being logged=E2=80=A6 > > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > > This is the paulbeard.org stanza: > > 74 server { > > 75 listen 443 ssl http2; > > 76 server_name paulbeard.org; > > 77 root /usr/local/www/; > > 78 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org= /fullchain.pem; # managed by Certbot > > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard= .org/privkey.pem; # managed by Certbot > > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # = managed by Certbot > > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # ma= naged by Certbot > > 82 > > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; > > 84 # add Strict-Transport-Security to prevent man in the middle = attacks > > 85 add_header Strict-Transport-Security "max-age=3D15552000; inc= ludeSubDomains" always; > > 86 rewrite ^(.*) https://www.paulbeard.org$1 permanent; > > 87 #return 301 https://$host$request_uri; > > 88 > > 89 > > 90 disable_symlinks off; > > 91 > > 92 } > > > The only active thing that looks like a rewrite is on line 86 and if I co= mment that out, the php pages are downloaded, rather than parsed and displa= yed. That's not what I want. > > I have no idea how this got so messed up. I am working from a config that= worked 3-4 days ago. I tried ripping out that stanza but something somewh= ere depends on it. > -- > Paul Beard / www.paulbeard.org/ It looks like you just want to redirect traffic to your www. ? 034 This is all you need for that. I don't know what that Terry Pratchett header is but whatevers, and I think you don't really need http2 for a redirect but it probably shouldn't break anything. You don't presently have an AAAA record for your domain in DNS so IPv6 isn't going to be an issue. server { listen 443 ssl http2; server_name paulbeard.org; ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed by Certbot ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed by Certbot include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot add_header X-Clacks-Overhead "GNU Terry Pratchett"; add_header Strict-Transport-Security "max-age=3D15552000; includeSubDomains" always; return 301 https://www.paulbeard.org$request_uri; } --=20 Waitman Gobble
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFuo_fxb0Tb5FRSbBPLD-XnjMgAUp2nb-k7sUxVD2f7doOmQiw>