Date: Mon, 12 Sep 2022 16:46:18 -0700 From: paul beard <paulbeard@gmail.com> To: Waitman Gobble <gobble.wa@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAMtcK2qSoKNMZHQUfUaCQoVEN3-y-KOTX=d_9QZsmDYQ%2BRw-tA@mail.gmail.com> In-Reply-To: <CAMtcK2qFcNaqJy1sQhqpzDTQN=bfZ3SCyqNa%2BbE0xwwZM5xL5g@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com> <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com> <CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg@mail.gmail.com> <CAMtcK2qFcNaqJy1sQhqpzDTQN=bfZ3SCyqNa%2BbE0xwwZM5xL5g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000002ea8b005e8838150 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Sep 12, 2022 at 11:45 AM paul beard <paulbeard@gmail.com> wrote: > > > On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com> > wrote: > >> On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> wrote: >> > >> > >> > >> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote= : >> >> >> >> >> >> >> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote= : >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >> >>> >> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> >> wrote: >> >>> > > >> >>> > > That order should be fine. The more specific locations should b= e >> listed first which is what you have. The redirect will trigger a new >> request which will match the first stanza. >> >>> > > >> >>> > > Anyway, it looks fine to me as long as the certs themselves are >> right. >> >>> > > I just checked the certs on https://paulbeard.org, >> https://www.paulbeard.org and https://cloud.paulbeard.org and they all >> seem fine to me. >> >>> > > I suspect it might be a browser issue as you mentioned. What >> happens in safari? >> >>> >> >> >> > >> > Hmm. So Safari is still having issues. It is able to load the root as >> www.paulbeard.org but not without it. And the link to wordpress >> explicitly uses www but it gets rewritten without and then fails for lac= k >> of a secure connection. I'll need to track down how that rewriting is >> happening. Who knew Safari was so rigorous? >> > >> > This is the unadorned/non-www stanza: do I even need that in the year >> 2022? >> > >> > 71 server { >> > >> > 72 #listen 443 ssl http2; >> > >> > 73 listen [::]:443 ssl http2; >> > >> > 74 server_name paulbeard.org; >> > >> > 75 # if ($request ~* https://paulbeard.org) { >> > >> > 76 # return 301 https://www.paulbeard.org; >> > >> > 77 # } >> > >> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/ >> paulbeard.org/fullchain.pem; # managed by Certbot >> > >> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ >> paulbeard.org/privkey.pem; # managed by Certbot >> > >> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; >> # managed by Certbot >> > >> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # >> managed by Certbot >> > >> > 82 >> > >> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; >> > >> > 84 # add Strict-Transport-Security to prevent man in the >> middle attacks >> > >> > 85 add_header Strict-Transport-Security "max-age=3D15552000; >> includeSubDomains" always; >> > >> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ >> > >> > 87 #return 301 https://$host$request_uri; >> > >> > 88 >> > >> > 89 >> > >> > 90 root /usr/local/www/; >> > >> > 91 disable_symlinks off; >> > >> > 92 >> > >> > 93 } >> > >> > >> > >> >> >> >> Maybe your certs are kinda jumbled up? >> >> > This is pretty accurate. I realized I wasn't pulling a certificate for th= e > base domain/host name, since i had commented it out in the config. Seems > like things have gotten jumbled indeed. I don't touch any of the config > that certbot adds so I am wary of how I can unmuddle it. I have since > restored that but now I see what I think is the real problem. > > This is the full list of certs I have=E2=80=A6I seem to have gotten host = and > domain mixed up here, as these are hosts, not domains, and ideally should > have just one certificate for all of them. Some cleanup seems to be > required. > > Found the following certs: > > Certificate Name: cloud.paulbeard.org > > Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330 > > Key Type: RSA > > Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org > > Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days) > > Certificate Path: /usr/local/etc/letsencrypt/live/ > cloud.paulbeard.org/fullchain.pem > > Private Key Path: /usr/local/etc/letsencrypt/live/ > cloud.paulbeard.org/privkey.pem > > Certificate Name: paulbeard.org > > Serial Number: 44c82383b1da739543404608a77c9174d79 > > Key Type: RSA > > Domains: paulbeard.org > > Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days) > > Certificate Path: /usr/local/etc/letsencrypt/live/ > paulbeard.org/fullchain.pem > > Private Key Path: /usr/local/etc/letsencrypt/live/ > paulbeard.org/privkey.pem > > Certificate Name: www.paulbeard.org-0001 > > Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13 > > Key Type: RSA > > Domains: www.paulbeard.org > > Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days) > > Certificate Path: > /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem > > Private Key Path: > /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem > > Certificate Name: www.paulbeard.org > > Serial Number: 4a730b954fead25d08fb8281c374c11014e > > Key Type: RSA > > Domains: cloud.paulbeard.org www.paulbeard.org > > Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days) > > Certificate Path: /usr/local/etc/letsencrypt/live/ > www.paulbeard.org/fullchain.pem > > Private Key Path: /usr/local/etc/letsencrypt/live/ > www.paulbeard.org/privkey.pem > Some things about this are not making sense=E2=80=A6sometimes the wordpress= pages will load but not always. Sometimes different servers answer to the generic "paulbeard.org" URI (the cloud instance, for some reason, would be served). Something to do with listen [::]:443 ssl http2; being set which makes no sense at all. I have removed it everywhere for now. IP6 traffic is far down my list of things to be bothered with. My main issue seems to be URI rewriting that I can't seem to find in the config. I get an error about 20 redirects and I don't see where that is happening. The rewrites are being logged=E2=80=A6 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "https://www.paulbeard.org/" This is the paulbeard.org stanza: 74 server { 75 listen 443 ssl http2; 76 server_name paulbeard.org; 77 root /usr/local/www/; 78 ssl_certificate /usr/local/etc/letsencrypt/live/ paulbeard.org/fullchain.pem; # managed by Certbot 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ paulbeard.org/privkey.pem; # managed by Certbot 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot 82 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; 84 # add Strict-Transport-Security to prevent man in the middle attacks 85 add_header Strict-Transport-Security "max-age=3D15552000; includeSubDomains" always; 86 rewrite ^(.*) https://www.paulbeard.org$1 permanent; 87 #return 301 https://$host$request_uri; 88 89 90 disable_symlinks off; 91 92 } The only active thing that looks like a rewrite is on line 86 and if I comment that out, the php pages are downloaded, rather than parsed and displayed. That's not what I want. I have no idea how this got so messed up. I am working from a config that worked 3-4 days ago. I tried ripping out that stanza but something somewhere depends on it. --=20 Paul Beard / www.paulbeard.org/ --0000000000002ea8b005e8838150 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, Sep 12, 2022 at 11:45 AM paul= beard <<a href=3D"mailto:paulbeard@gmail.com">paulbeard@gmail.com</a>&g= t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p= x 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color= :rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br><= /div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">O= n Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <<a href=3D"mailto:gobble.= wa@gmail.com" target=3D"_blank">gobble.wa@gmail.com</a>> wrote:<br></div= ><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border= -left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);= padding-left:1ex">On Mon, Sep 12, 2022 at 2:01 PM paul beard <<a href=3D= "mailto:paulbeard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> = wrote:<br> ><br> ><br> ><br> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <<a href=3D"mailto:paulb= eard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> wrote:<br> >><br> >><br> >><br> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <<a href=3D"mailto:ty-m= l@eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-odin.com</a>> wrote:<b= r> >>><br> >>><br> >>><br> >>><br> >>><br> >>><br> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble=C2=A0 w= rote ---<br> >>><br> >>>=C2=A0 > On Mon, Sep 12, 2022 at 2:42 AM Ty John <a href=3D"= mailto:ty-ml@eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-odin.com</a>&g= t; wrote:<br> >>>=C2=A0 > ><br> >>>=C2=A0 > > That order should be fine. The more specific l= ocations should be listed first which is what you have. The redirect will t= rigger a new request which will match the first stanza.<br> >>>=C2=A0 > ><br> >>>=C2=A0 > > Anyway, it looks fine to me as long as the cer= ts themselves are right.<br> >>>=C2=A0 > > I just checked the certs on <a href=3D"https:/= /paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://paulbeard.org<= /a>, <a href=3D"https://www.paulbeard.org" rel=3D"noreferrer" target=3D"_bl= ank">https://www.paulbeard.org</a>; and <a href=3D"https://cloud.paulbeard.o= rg" rel=3D"noreferrer" target=3D"_blank">https://cloud.paulbeard.org</a>; an= d they all seem fine to me.<br> >>>=C2=A0 > > I suspect it might be a browser issue as you m= entioned. What happens in safari?<br> >>><br> >><br> ><br> > Hmm. So Safari is still having issues. It is able to load the root as = <a href=3D"http://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">w= ww.paulbeard.org</a> but not without it. And the link to wordpress explicit= ly uses www but it gets rewritten without and then fails for lack of a secu= re connection. I'll need to track down how that rewriting is happening.= Who knew Safari was so rigorous?<br> ><br> > This is the unadorned/non-www stanza: do I even need that in the year = 2022?<br> ><br> >=C2=A0 =C2=A0 =C2=A0 71=C2=A0 =C2=A0 =C2=A0server {<br> ><br> >=C2=A0 =C2=A0 =C2=A0 72=C2=A0 =C2=A0 =C2=A0#listen 443 ssl http2;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 73=C2=A0 =C2=A0 =C2=A0listen [::]:443 ssl http2;<b= r> ><br> >=C2=A0 =C2=A0 =C2=A0 74=C2=A0 =C2=A0 =C2=A0server_name=C2=A0 <a href=3D= "http://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">paulbeard.org</= a>;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 75 #=C2=A0 =C2=A0 if ($request ~* <a href=3D"https= ://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://paulbeard.or= g</a>) {<br> ><br> >=C2=A0 =C2=A0 =C2=A0 76 #=C2=A0 =C2=A0 return 301 <a href=3D"https://ww= w.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org</a>;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 77 #=C2=A0 =C2=A0 }<br> ><br> >=C2=A0 =C2=A0 =C2=A0 78=C2=A0 =C2=A0 =C2=A0ssl_certificate /usr/local/e= tc/letsencrypt/live/<a href=3D"http://paulbeard.org/fullchain.pem" rel=3D"n= oreferrer" target=3D"_blank">paulbeard.org/fullchain.pem</a>; # managed by = Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 79=C2=A0 =C2=A0 =C2=A0ssl_certificate_key /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/privkey.pem" rel=3D= "noreferrer" target=3D"_blank">paulbeard.org/privkey.pem</a>; # managed by = Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 80=C2=A0 =C2=A0 =C2=A0include /usr/local/etc/letse= ncrypt/options-ssl-nginx.conf; # managed by Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 81=C2=A0 =C2=A0 =C2=A0ssl_dhparam /usr/local/etc/l= etsencrypt/ssl-dhparams.pem; # managed by Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 82<br> ><br> >=C2=A0 =C2=A0 =C2=A0 83=C2=A0 =C2=A0 =C2=A0add_header X-Clacks-Overhead= "GNU Terry Pratchett";<br> ><br> >=C2=A0 =C2=A0 =C2=A0 84=C2=A0 =C2=A0 =C2=A0# add Strict-Transport-Secur= ity to prevent man in the middle attacks<br> ><br> >=C2=A0 =C2=A0 =C2=A0 85=C2=A0 =C2=A0 =C2=A0add_header Strict-Transport-= Security "max-age=3D15552000; includeSubDomains" always;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 86=C2=A0 =C2=A0 =C2=A0#rewrite ^(.*) <a href=3D"ht= tps://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://www.p= aulbeard.org</a>$1 permanent; #+<br> ><br> >=C2=A0 =C2=A0 =C2=A0 87=C2=A0 =C2=A0 =C2=A0#return=C2=A0 =C2=A0 =C2=A0 = 301 https://$host$request_uri;<br>; ><br> >=C2=A0 =C2=A0 =C2=A0 88<br> ><br> >=C2=A0 =C2=A0 =C2=A0 89<br> ><br> >=C2=A0 =C2=A0 =C2=A0 90=C2=A0 =C2=A0 =C2=A0root=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0/usr/local/www/;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 91=C2=A0 =C2=A0 =C2=A0disable_symlinks off;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 92<br> ><br> >=C2=A0 =C2=A0 =C2=A0 93 }<br> ><br> ><br> ><br> <br> <br> <br> Maybe your certs are kinda jumbled up?<br> <br></blockquote><div><br></div><div>This is pretty accurate. I realized I = wasn't pulling a certificate for the base domain/host name, since i had= commented it out in the config. Seems like things have gotten jumbled inde= ed. I don't touch any of the config that certbot adds so I am wary of h= ow I can unmuddle it. I have since restored that but now I see what I think= is the real problem.=C2=A0</div><div><br></div><div>This is the full list = of certs I have=E2=80=A6I seem to have gotten host and domain mixed up here= , as these are hosts, not domains, and ideally should have just one certifi= cate for all of them. Some cleanup seems to be required.=C2=A0</div><div><b= r></div><div><p style=3D"margin:0px;font-stretch:normal;font-size:11px;line= -height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-vari= ant-ligatures:no-common-ligatures">Found the following certs:</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 </span>Certificate Name: <a href=3D"http= ://cloud.paulbeard.org" target=3D"_blank">cloud.paulbeard.org</a></span></p= > <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Serial Number: 4bdb35a6e53= 08f47e7934453b6d1552a330</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Domains: <a href=3D"http:/= /paulbeard.org" target=3D"_blank">paulbeard.org</a> <a href=3D"http://cloud= .paulbeard.org" target=3D"_blank">cloud.paulbeard.org</a> <a href=3D"http:/= /www.paulbeard.org" target=3D"_blank">www.paulbeard.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Expiry Date: 2022-12-04 16= :14:05+00:00 (VALID: 82 days)</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Certificate Path: /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://cloud.paulbeard.org/fullchain.pem= " target=3D"_blank">cloud.paulbeard.org/fullchain.pem</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Private Key Path: /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://cloud.paulbeard.org/privkey.pem" = target=3D"_blank">cloud.paulbeard.org/privkey.pem</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 </span>Certificate Name: <a href=3D"http= ://paulbeard.org" target=3D"_blank">paulbeard.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Serial Number: 44c82383b1d= a739543404608a77c9174d79</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Domains: <a href=3D"http:/= /paulbeard.org" target=3D"_blank">paulbeard.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Expiry Date: 2022-11-11 10= :45:26+00:00 (VALID: 59 days)</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Certificate Path: /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/fullchain.pem" targ= et=3D"_blank">paulbeard.org/fullchain.pem</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Private Key Path: /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/privkey.pem" target= =3D"_blank">paulbeard.org/privkey.pem</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 </span>Certificate Name: www.paulbeard.o= rg-0001</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Serial Number: 4a865592d7d= 31d1465df0e7245eb88d9d13</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Domains: <a href=3D"http:/= /www.paulbeard.org" target=3D"_blank">www.paulbeard.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Expiry Date: 2022-12-10 23= :29:48+00:00 (VALID: 89 days)</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Certificate Path: /usr/loc= al/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Private Key Path: /usr/loc= al/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 </span>Certificate Name: <a href=3D"http= ://www.paulbeard.org" target=3D"_blank">www.paulbeard.org</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Serial Number: 4a730b954fe= ad25d08fb8281c374c11014e</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Key Type: RSA</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Domains: <a href=3D"http:/= /cloud.paulbeard.org" target=3D"_blank">cloud.paulbeard.org</a> <a href=3D"= http://www.paulbeard.org" target=3D"_blank">www.paulbeard.org</a></span></p= > <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Expiry Date: 2022-12-10 21= :33:36+00:00 (VALID: 89 days)</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Certificate Path: /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://www.paulbeard.org/fullchain.pem" = target=3D"_blank">www.paulbeard.org/fullchain.pem</a></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>Private Key Path: /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://www.paulbeard.org/privkey.pem" ta= rget=3D"_blank">www.paulbeard.org/privkey.pem</a></span></p></div></div></d= iv> </blockquote></div><div><br></div>Some things about this are not making sen= se=E2=80=A6sometimes the wordpress pages will load but not always. Sometime= s different servers answer to the generic "<a href=3D"http://paulbeard= .org">paulbeard.org</a>" URI (the cloud instance, for some reason, wou= ld be served). Something to do with=C2=A0<span class=3D"gmail-Apple-convert= ed-space" style=3D"color:rgb(0,0,0);font-family:Menlo;font-size:11px">=C2= =A0 =C2=A0 </span><span style=3D"color:rgb(0,0,0);font-family:Menlo;font-si= ze:11px">listen [::]:443 ssl http2;=C2=A0</span>being set which makes no se= nse at all. I have removed it everywhere for now. IP6 traffic is far down m= y list of things to be bothered with.=C2=A0<div><br></div><div>My main issu= e seems to be URI rewriting that I can't seem to find in the config. I = get an error about 20 redirects and I don't see where that is happening= . The rewrites are being logged=E2=80=A6</div><div><br></div><div><p style= =3D"margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-f= amily:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures:no-comm= on-ligatures">2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten red= irect: "<a href=3D"https://www.paulbeard.org/wordpress/">https://www.p= aulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a href=3D"= http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpress/ HTT= P/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard.org</a>= ", referrer: "<a href=3D"https://www.paulbeard.org/">https://www.= paulbeard.org/</a>"</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures">2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewri= tten redirect: "<a href=3D"https://www.paulbeard.org/wordpress/">https= ://www.paulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a = href=3D"http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpr= ess/ HTTP/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard= .org</a>", referrer: "<a href=3D"https://www.paulbeard.org/">http= s://www.paulbeard.org/</a>"</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures">2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewri= tten redirect: "<a href=3D"https://www.paulbeard.org/wordpress/">https= ://www.paulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a = href=3D"http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpr= ess/ HTTP/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard= .org</a>", referrer: "<a href=3D"https://www.paulbeard.org/">http= s://www.paulbeard.org/</a>"</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures">2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "<a href=3D"https://www.paulbeard.org/wordpress/">https= ://www.paulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a = href=3D"http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpr= ess/ HTTP/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard= .org</a>", referrer: "<a href=3D"https://www.paulbeard.org/">http= s://www.paulbeard.org/</a>"</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures">2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "<a href=3D"https://www.paulbeard.org/wordpress/">https= ://www.paulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a = href=3D"http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpr= ess/ HTTP/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard= .org</a>", referrer: "<a href=3D"https://www.paulbeard.org/">http= s://www.paulbeard.org/</a>"</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures">2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "<a href=3D"https://www.paulbeard.org/wordpress/">https= ://www.paulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a = href=3D"http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpr= ess/ HTTP/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard= .org</a>", referrer: "<a href=3D"https://www.paulbeard.org/">http= s://www.paulbeard.org/</a>"</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures">2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewri= tten redirect: "<a href=3D"https://www.paulbeard.org/wordpress/">https= ://www.paulbeard.org/wordpress/</a>", client: 192.168.0.5, server: <a = href=3D"http://paulbeard.org">paulbeard.org</a>, request: "GET /wordpr= ess/ HTTP/2.0", host: "<a href=3D"http://paulbeard.org">paulbeard= .org</a>", referrer: "<a href=3D"https://www.paulbeard.org/">http= s://www.paulbeard.org/</a>"</span></p> <br class=3D"gmail-Apple-interchange-newline">This is the <a href=3D"http:/= /paulbeard.org">paulbeard.org</a> stanza:=C2=A0</div><div><p style=3D"margi= n:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Men= lo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures:no-common-ligatu= res"><span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0</span= >74 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 </span>server= {</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>75 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>listen 443 ssl http2;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>76 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>server_name<span class=3D"gmail-Apple-converted-space">=C2=A0 </= span><a href=3D"http://paulbeard.org">paulbeard.org</a>;</span></p>; <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>77 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>root <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 </span>/usr/local/www/;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>78 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>ssl_certificate /usr/local/etc/letsencrypt/live/<a href=3D"http:= //paulbeard.org/fullchain.pem">paulbeard.org/fullchain.pem</a>; # managed b= y Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>79 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>ssl_certificate_key /usr/local/etc/letsencrypt/live/<a href=3D"h= ttp://paulbeard.org/privkey.pem">paulbeard.org/privkey.pem</a>; # managed b= y Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>80 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # man= aged by Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>81 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # manag= ed by Certbot</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>82</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>83 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>add_header X-Clacks-Overhead "GNU Terry Pratchett";</s= pan></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>84 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span># add Strict-Transport-Security to prevent man in the middle att= acks</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>85 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>add_header Strict-Transport-Security "max-age=3D15552000; i= ncludeSubDomains" always;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>86 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>rewrite ^(.*) <a href=3D"https://www.paulbeard.org">https://www.= paulbeard.org</a>$1 permanent;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>87 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>#return<span class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0= =C2=A0 </span>301 https://$host$request_uri;</span></p>; <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>88</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>89<span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0</span></span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>90 <span class=3D"gmail-Apple-converted-space">=C2=A0 =C2= =A0 </span>disable_symlinks off;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>91</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span class=3D"gmail-Apple-converted-space">=C2=A0=C2= =A0 =C2=A0 </span>92 }</span></p> <br class=3D"gmail-Apple-interchange-newline"><div>The only active thing th= at looks like a rewrite is on line 86 and if I comment that out, the php pa= ges are downloaded, rather than parsed and displayed. That's not what I= want.=C2=A0</div><div><br></div><div>I have no idea how this got so messed= up. I am working from a config that worked 3-4 days ago.=C2=A0 I tried rip= ping out that stanza but something somewhere depends on it.=C2=A0</div>-- <= br><div dir=3D"ltr" class=3D"gmail_signature">Paul Beard / <a href=3D"http:= //www.paulbeard.org/" target=3D"_blank">www.paulbeard.org/</a><br></div></d= iv></div> --0000000000002ea8b005e8838150--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMtcK2qSoKNMZHQUfUaCQoVEN3-y-KOTX=d_9QZsmDYQ%2BRw-tA>