Re: any nginx/letsencrypt experts out there?
- Reply: Waitman Gobble : "Re: any nginx/letsencrypt experts out there?"
- In reply to: paul beard : "Re: any nginx/letsencrypt experts out there?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 12 Sep 2022 23:46:18 UTC
On Mon, Sep 12, 2022 at 11:45 AM paul beard <paulbeard@gmail.com> wrote:
>
>
> On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com>
> wrote:
>
>> On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> wrote:
>> >
>> >
>> >
>> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote:
>> >>
>> >>
>> >>
>> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote:
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote ---
>> >>>
>> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com>
>> wrote:
>> >>> > >
>> >>> > > That order should be fine. The more specific locations should be
>> listed first which is what you have. The redirect will trigger a new
>> request which will match the first stanza.
>> >>> > >
>> >>> > > Anyway, it looks fine to me as long as the certs themselves are
>> right.
>> >>> > > I just checked the certs on https://paulbeard.org,
>> https://www.paulbeard.org and https://cloud.paulbeard.org and they all
>> seem fine to me.
>> >>> > > I suspect it might be a browser issue as you mentioned. What
>> happens in safari?
>> >>>
>> >>
>> >
>> > Hmm. So Safari is still having issues. It is able to load the root as
>> www.paulbeard.org but not without it. And the link to wordpress
>> explicitly uses www but it gets rewritten without and then fails for lack
>> of a secure connection. I'll need to track down how that rewriting is
>> happening. Who knew Safari was so rigorous?
>> >
>> > This is the unadorned/non-www stanza: do I even need that in the year
>> 2022?
>> >
>> > 71 server {
>> >
>> > 72 #listen 443 ssl http2;
>> >
>> > 73 listen [::]:443 ssl http2;
>> >
>> > 74 server_name paulbeard.org;
>> >
>> > 75 # if ($request ~* https://paulbeard.org) {
>> >
>> > 76 # return 301 https://www.paulbeard.org;
>> >
>> > 77 # }
>> >
>> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/
>> paulbeard.org/fullchain.pem; # managed by Certbot
>> >
>> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/
>> paulbeard.org/privkey.pem; # managed by Certbot
>> >
>> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
>> # managed by Certbot
>> >
>> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; #
>> managed by Certbot
>> >
>> > 82
>> >
>> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett";
>> >
>> > 84 # add Strict-Transport-Security to prevent man in the
>> middle attacks
>> >
>> > 85 add_header Strict-Transport-Security "max-age=15552000;
>> includeSubDomains" always;
>> >
>> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+
>> >
>> > 87 #return 301 https://$host$request_uri;
>> >
>> > 88
>> >
>> > 89
>> >
>> > 90 root /usr/local/www/;
>> >
>> > 91 disable_symlinks off;
>> >
>> > 92
>> >
>> > 93 }
>> >
>> >
>> >
>>
>>
>>
>> Maybe your certs are kinda jumbled up?
>>
>>
> This is pretty accurate. I realized I wasn't pulling a certificate for the
> base domain/host name, since i had commented it out in the config. Seems
> like things have gotten jumbled indeed. I don't touch any of the config
> that certbot adds so I am wary of how I can unmuddle it. I have since
> restored that but now I see what I think is the real problem.
>
> This is the full list of certs I have…I seem to have gotten host and
> domain mixed up here, as these are hosts, not domains, and ideally should
> have just one certificate for all of them. Some cleanup seems to be
> required.
>
> Found the following certs:
>
> Certificate Name: cloud.paulbeard.org
>
> Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330
>
> Key Type: RSA
>
> Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org
>
> Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days)
>
> Certificate Path: /usr/local/etc/letsencrypt/live/
> cloud.paulbeard.org/fullchain.pem
>
> Private Key Path: /usr/local/etc/letsencrypt/live/
> cloud.paulbeard.org/privkey.pem
>
> Certificate Name: paulbeard.org
>
> Serial Number: 44c82383b1da739543404608a77c9174d79
>
> Key Type: RSA
>
> Domains: paulbeard.org
>
> Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days)
>
> Certificate Path: /usr/local/etc/letsencrypt/live/
> paulbeard.org/fullchain.pem
>
> Private Key Path: /usr/local/etc/letsencrypt/live/
> paulbeard.org/privkey.pem
>
> Certificate Name: www.paulbeard.org-0001
>
> Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13
>
> Key Type: RSA
>
> Domains: www.paulbeard.org
>
> Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days)
>
> Certificate Path:
> /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem
>
> Private Key Path:
> /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem
>
> Certificate Name: www.paulbeard.org
>
> Serial Number: 4a730b954fead25d08fb8281c374c11014e
>
> Key Type: RSA
>
> Domains: cloud.paulbeard.org www.paulbeard.org
>
> Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days)
>
> Certificate Path: /usr/local/etc/letsencrypt/live/
> www.paulbeard.org/fullchain.pem
>
> Private Key Path: /usr/local/etc/letsencrypt/live/
> www.paulbeard.org/privkey.pem
>
Some things about this are not making sense…sometimes the wordpress pages
will load but not always. Sometimes different servers answer to the generic
"paulbeard.org" URI (the cloud instance, for some reason, would be served).
Something to do with listen [::]:443 ssl http2; being set which makes
no sense at all. I have removed it everywhere for now. IP6 traffic is far
down my list of things to be bothered with.
My main issue seems to be URI rewriting that I can't seem to find in the
config. I get an error about 20 redirects and I don't see where that is
happening. The rewrites are being logged…
2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
referrer: "https://www.paulbeard.org/"
This is the paulbeard.org stanza:
74 server {
75 listen 443 ssl http2;
76 server_name paulbeard.org;
77 root /usr/local/www/;
78 ssl_certificate /usr/local/etc/letsencrypt/live/
paulbeard.org/fullchain.pem; # managed by Certbot
79 ssl_certificate_key /usr/local/etc/letsencrypt/live/
paulbeard.org/privkey.pem; # managed by Certbot
80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; #
managed by Certbot
81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; #
managed by Certbot
82
83 add_header X-Clacks-Overhead "GNU Terry Pratchett";
84 # add Strict-Transport-Security to prevent man in the middle
attacks
85 add_header Strict-Transport-Security "max-age=15552000;
includeSubDomains" always;
86 rewrite ^(.*) https://www.paulbeard.org$1 permanent;
87 #return 301 https://$host$request_uri;
88
89
90 disable_symlinks off;
91
92 }
The only active thing that looks like a rewrite is on line 86 and if I
comment that out, the php pages are downloaded, rather than parsed and
displayed. That's not what I want.
I have no idea how this got so messed up. I am working from a config that
worked 3-4 days ago. I tried ripping out that stanza but something
somewhere depends on it.
--
Paul Beard / www.paulbeard.org/