Re: any nginx/letsencrypt experts out there?

From: Waitman Gobble <gobble.wa_at_gmail.com>
Date: Mon, 12 Sep 2022 14:22:51 UTC
On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> wrote:
>
>
>
> On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> wrote:
>>
>>
>>
>> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble  wrote ---
>>>
>>>  > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> wrote:
>>>  > >
>>>  > > That order should be fine. The more specific locations should be listed first which is what you have. The redirect will trigger a new request which will match the first stanza.
>>>  > >
>>>  > > Anyway, it looks fine to me as long as the certs themselves are right.
>>>  > > I just checked the certs on https://paulbeard.org, https://www.paulbeard.org and https://cloud.paulbeard.org and they all seem fine to me.
>>>  > > I suspect it might be a browser issue as you mentioned. What happens in safari?
>>>
>>
>
> Hmm. So Safari is still having issues. It is able to load the root as www.paulbeard.org but not without it. And the link to wordpress explicitly uses www but it gets rewritten without and then fails for lack of a secure connection. I'll need to track down how that rewriting is happening. Who knew Safari was so rigorous?
>
> This is the unadorned/non-www stanza: do I even need that in the year 2022?
>
>      71     server {
>
>      72     #listen 443 ssl http2;
>
>      73     listen [::]:443 ssl http2;
>
>      74     server_name  paulbeard.org;
>
>      75 #    if ($request ~* https://paulbeard.org) {
>
>      76 #    return 301 https://www.paulbeard.org;
>
>      77 #    }
>
>      78     ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed by Certbot
>
>      79     ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed by Certbot
>
>      80     include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>
>      81     ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>
>      82
>
>      83     add_header X-Clacks-Overhead "GNU Terry Pratchett";
>
>      84     # add Strict-Transport-Security to prevent man in the middle attacks
>
>      85     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
>
>      86     #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+
>
>      87     #return      301 https://$host$request_uri;
>
>      88
>
>      89
>
>      90     root           /usr/local/www/;
>
>      91     disable_symlinks off;
>
>      92
>
>      93 }
>
>
>



Maybe your certs are kinda jumbled up?

It seems requests to cloud.paulbeard.org returns cert for
CN=paulbeard.org, while requests to paulbeard.org, www.paulbeard.org
return cert for cloud.paulbeard.org

λ #~> openssl s_client -showcerts -connect cloud.paulbeard.org:443
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = paulbeard.org
verify return:1
---
Certificate chain
 0 s:CN = paulbeard.org
   i:C = US, O = Let's Encrypt, CN = R3


λ #~> openssl s_client -showcerts -connect paulbeard.org:443
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cloud.paulbeard.org
verify return:1
---
Certificate chain
 0 s:CN = cloud.paulbeard.org
   i:C = US, O = Let's Encrypt, CN = R3

λ #~> openssl s_client -showcerts -connect www.paulbeard.org:443
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cloud.paulbeard.org
verify return:1
---
Certificate chain
 0 s:CN = cloud.paulbeard.org
   i:C = US, O = Let's Encrypt, CN = R3



--