Re: any nginx/letsencrypt experts out there?

From: Ty John <ty-ml_at_eye-of-odin.com>
Date: Mon, 12 Sep 2022 01:11:58 UTC
Can you share relevant snippets from your nginx.conf as well as the command you are using to issue/renew certs?



How are you verifying after the renewal? It's OK to change to a wildcard but you won't be able to do an automatic verification such as the http method where letsencrypt checks the <yourdomain.com>/.well-known/foobar on port 80. Automation works much better by specifying multiple domains on a single cert with the subsequent domains being SANs.



For example, I use acme.sh. You can use as many -d options as you like and they will be added as SANs to a single certificate.



acme.sh --issue -d http://www.mydomain.com -d cloud.mydomain.com -w /usr/share/nginx/html


















---- On Mon, 12 Sep 2022 10:27:09 +0930 paul beard <paulbeard@gmail.com> wrote ---



Something seems to have gone wrong with a working nginx/letsencrypt installation. I suspect LE has changed some things while this system was running 11.4 and the update to 12.3 brought those changes to light. 



I have a www and cloud server under a single domain and a certificate for each. Not sure that's right but I think that's what LE/certbot came up with from reading nginx.conf (ie, it was setup and worked that way but might have always been wrong and I am just now catching up with that). The cloud.domain server loads just fine but the www.domain will not. There is additional confusion over www vs bare (non-www).domain. Again, that worked before w some rewriting and whatnot but seems not to work now. Requests for www. are now forced to the non-www listener and all the necessary bits (wordpress, etc) are in the www. server stanza. 



Also I can get openssl on the command line to work fine so there is a chance it's some goofy Apple Safari mishegas that needs sorting out. 



Is it better just have a single cert for *.domain? That makes more sense to me, not sure how this other situation came to be. 













-- 

Paul Beard / http://www.paulbeard.org/