Re: any nginx/letsencrypt experts out there?
- Reply: Waitman Gobble : "Re: any nginx/letsencrypt experts out there?"
- In reply to: paul beard : "any nginx/letsencrypt experts out there?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 12 Sep 2022 01:11:58 UTC
Can you share relevant snippets from your nginx.conf as well as the command you are using to issue/renew certs? How are you verifying after the renewal? It's OK to change to a wildcard but you won't be able to do an automatic verification such as the http method where letsencrypt checks the <yourdomain.com>/.well-known/foobar on port 80. Automation works much better by specifying multiple domains on a single cert with the subsequent domains being SANs. For example, I use acme.sh. You can use as many -d options as you like and they will be added as SANs to a single certificate. acme.sh --issue -d http://www.mydomain.com -d cloud.mydomain.com -w /usr/share/nginx/html ---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard <paulbeard@gmail.com> wrote --- Something seems to have gone wrong with a working nginx/letsencrypt installation. I suspect LE has changed some things while this system was running 11.4 and the update to 12.3 brought those changes to light. I have a www and cloud server under a single domain and a certificate for each. Not sure that's right but I think that's what LE/certbot came up with from reading nginx.conf (ie, it was setup and worked that way but might have always been wrong and I am just now catching up with that). The cloud.domain server loads just fine but the www.domain will not. There is additional confusion over www vs bare (non-www).domain. Again, that worked before w some rewriting and whatnot but seems not to work now. Requests for www. are now forced to the non-www listener and all the necessary bits (wordpress, etc) are in the www. server stanza. Also I can get openssl on the command line to work fine so there is a chance it's some goofy Apple Safari mishegas that needs sorting out. Is it better just have a single cert for *.domain? That makes more sense to me, not sure how this other situation came to be. -- Paul Beard / http://www.paulbeard.org/