Re: any nginx/letsencrypt experts out there?
- In reply to: paul beard : "Re: any nginx/letsencrypt experts out there?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 16 Sep 2022 13:44:33 UTC
On Mon, Sep 12, 2022 at 6:39 PM paul beard <paulbeard@gmail.com> wrote:
>
>
> On Mon, Sep 12, 2022 at 5:30 PM Waitman Gobble <gobble.wa@gmail.com>
> wrote:
>
>> On Mon, Sep 12, 2022 at 11:46 PM paul beard <paulbeard@gmail.com> wrote:
>> >
>> >
>> >
>> > On Mon, Sep 12, 2022 at 11:45 AM paul beard <paulbeard@gmail.com>
>> wrote:
>> >>
>> >>
>> >>
>> >> On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com>
>> wrote:
>> >>>
>> >>> On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com>
>> wrote:
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com>
>> wrote:
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com>
>> wrote:
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote ---
>> >>> >>>
>> >>> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com>
>> wrote:
>> >>> >>> > >
>> >>> >>> > > That order should be fine. The more specific locations
>> should be listed first which is what you have. The redirect will trigger a
>> new request which will match the first stanza.
>> >>> >>> > >
>> >>> >>> > > Anyway, it looks fine to me as long as the certs themselves
>> are right.
>> >>> >>> > > I just checked the certs on https://paulbeard.org,
>> https://www.paulbeard.org and https://cloud.paulbeard.org and they all
>> seem fine to me.
>> >>> >>> > > I suspect it might be a browser issue as you mentioned. What
>> happens in safari?
>> >>> >>>
>> >>> >>
>> >>> >
>> >>> > Hmm. So Safari is still having issues. It is able to load the root
>> as www.paulbeard.org but not without it. And the link to wordpress
>> explicitly uses www but it gets rewritten without and then fails for lack
>> of a secure connection. I'll need to track down how that rewriting is
>> happening. Who knew Safari was so rigorous?
>> >>> >
>> >>> > This is the unadorned/non-www stanza: do I even need that in the
>> year 2022?
>> >>> >
>> >>> > 71 server {
>> >>> >
>> >>> > 72 #listen 443 ssl http2;
>> >>> >
>> >>> > 73 listen [::]:443 ssl http2;
>> >>> >
>> >>> > 74 server_name paulbeard.org;
>> >>> >
>> >>> > 75 # if ($request ~* https://paulbeard.org) {
>> >>> >
>> >>> > 76 # return 301 https://www.paulbeard.org;
>> >>> >
>> >>> > 77 # }
>> >>> >
>> >>> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/
>> paulbeard.org/fullchain.pem; # managed by Certbot
>> >>> >
>> >>> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/
>> paulbeard.org/privkey.pem; # managed by Certbot
>> >>> >
>> >>> > 80 include
>> /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>> >>> >
>> >>> > 81 ssl_dhparam
>> /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>> >>> >
>> >>> > 82
>> >>> >
>> >>> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett";
>> >>> >
>> >>> > 84 # add Strict-Transport-Security to prevent man in the
>> middle attacks
>> >>> >
>> >>> > 85 add_header Strict-Transport-Security "max-age=15552000;
>> includeSubDomains" always;
>> >>> >
>> >>> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent;
>> #+
>> >>> >
>> >>> > 87 #return 301 https://$host$request_uri;
>> >>> >
>> >>> > 88
>> >>> >
>> >>> > 89
>> >>> >
>> >>> > 90 root /usr/local/www/;
>> >>> >
>> >>> > 91 disable_symlinks off;
>> >>> >
>> >>> > 92
>> >>> >
>> >>> > 93 }
>> >>> >
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> Maybe your certs are kinda jumbled up?
>> >>>
>> >>
>> >> This is pretty accurate. I realized I wasn't pulling a certificate for
>> the base domain/host name, since i had commented it out in the config.
>> Seems like things have gotten jumbled indeed. I don't touch any of the
>> config that certbot adds so I am wary of how I can unmuddle it. I have
>> since restored that but now I see what I think is the real problem.
>> >>
>> >> This is the full list of certs I have…I seem to have gotten host and
>> domain mixed up here, as these are hosts, not domains, and ideally should
>> have just one certificate for all of them. Some cleanup seems to be
>> required.
>> >>
>> >> Found the following certs:
>> >>
>> >> Certificate Name: cloud.paulbeard.org
>> >>
>> >> Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330
>> >>
>> >> Key Type: RSA
>> >>
>> >> Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org
>> >>
>> >> Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days)
>> >>
>> >> Certificate Path: /usr/local/etc/letsencrypt/live/
>> cloud.paulbeard.org/fullchain.pem
>> >>
>> >> Private Key Path: /usr/local/etc/letsencrypt/live/
>> cloud.paulbeard.org/privkey.pem
>> >>
>> >> Certificate Name: paulbeard.org
>> >>
>> >> Serial Number: 44c82383b1da739543404608a77c9174d79
>> >>
>> >> Key Type: RSA
>> >>
>> >> Domains: paulbeard.org
>> >>
>> >> Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days)
>> >>
>> >> Certificate Path: /usr/local/etc/letsencrypt/live/
>> paulbeard.org/fullchain.pem
>> >>
>> >> Private Key Path: /usr/local/etc/letsencrypt/live/
>> paulbeard.org/privkey.pem
>> >>
>> >> Certificate Name: www.paulbeard.org-0001
>> >>
>> >> Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13
>> >>
>> >> Key Type: RSA
>> >>
>> >> Domains: www.paulbeard.org
>> >>
>> >> Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days)
>> >>
>> >> Certificate Path:
>> /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem
>> >>
>> >> Private Key Path:
>> /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem
>> >>
>> >> Certificate Name: www.paulbeard.org
>> >>
>> >> Serial Number: 4a730b954fead25d08fb8281c374c11014e
>> >>
>> >> Key Type: RSA
>> >>
>> >> Domains: cloud.paulbeard.org www.paulbeard.org
>> >>
>> >> Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days)
>> >>
>> >> Certificate Path: /usr/local/etc/letsencrypt/live/
>> www.paulbeard.org/fullchain.pem
>> >>
>> >> Private Key Path: /usr/local/etc/letsencrypt/live/
>> www.paulbeard.org/privkey.pem
>> >
>> >
>> > Some things about this are not making sense…sometimes the wordpress
>> pages will load but not always. Sometimes different servers answer to the
>> generic "paulbeard.org" URI (the cloud instance, for some reason, would
>> be served). Something to do with listen [::]:443 ssl http2; being set
>> which makes no sense at all. I have removed it everywhere for now. IP6
>> traffic is far down my list of things to be bothered with.
>> >
>> > My main issue seems to be URI rewriting that I can't seem to find in
>> the config. I get an error about 20 redirects and I don't see where that is
>> happening. The rewrites are being logged…
>> >
>> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "
>> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server:
>> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org",
>> referrer: "https://www.paulbeard.org/"
>> >
>> >
>> > This is the paulbeard.org stanza:
>> >
>> > 74 server {
>> >
>> > 75 listen 443 ssl http2;
>> >
>> > 76 server_name paulbeard.org;
>> >
>> > 77 root /usr/local/www/;
>> >
>> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/
>> paulbeard.org/fullchain.pem; # managed by Certbot
>> >
>> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/
>> paulbeard.org/privkey.pem; # managed by Certbot
>> >
>> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
>> # managed by Certbot
>> >
>> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; #
>> managed by Certbot
>> >
>> > 82
>> >
>> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett";
>> >
>> > 84 # add Strict-Transport-Security to prevent man in the
>> middle attacks
>> >
>> > 85 add_header Strict-Transport-Security "max-age=15552000;
>> includeSubDomains" always;
>> >
>> > 86 rewrite ^(.*) https://www.paulbeard.org$1 permanent;
>> >
>> > 87 #return 301 https://$host$request_uri;
>> >
>> > 88
>> >
>> > 89
>> >
>> > 90 disable_symlinks off;
>> >
>> > 91
>> >
>> > 92 }
>> >
>> >
>> > The only active thing that looks like a rewrite is on line 86 and if I
>> comment that out, the php pages are downloaded, rather than parsed and
>> displayed. That's not what I want.
>> >
>> > I have no idea how this got so messed up. I am working from a config
>> that worked 3-4 days ago. I tried ripping out that stanza but something
>> somewhere depends on it.
>> > --
>> > Paul Beard / www.paulbeard.org/
>>
>>
>> It looks like you just want to redirect traffic to your www. ? 034
>> This is all you need for that. I don't know what that Terry Pratchett
>> header is but whatevers, and I think you don't really need http2 for a
>> redirect but it probably shouldn't break anything.
>>
>> You don't presently have an AAAA record for your domain in DNS so IPv6
>> isn't going to be an issue.
>>
>> server {
>> listen 443 ssl http2;
>> server_name paulbeard.org;
>> ssl_certificate
>> /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed
>> by Certbot
>> ssl_certificate_key
>> /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed
>> by Certbot
>> include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; #
>> managed by Certbot
>> ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed
>> by Certbot
>> add_header X-Clacks-Overhead "GNU Terry Pratchett";
>> add_header Strict-Transport-Security "max-age=15552000;
>> includeSubDomains" always;
>> return 301 https://www.paulbeard.org$request_uri;
>> }
>>
>>
>>
>> --
>> Waitman Gobble
>>
>> You know, I tried that very thing. It *should* work. It doesn't. And I
> can't see where the "more than 20 redirects" are creeping in. I assume it's
> ping ponging back and forth between www and non-ww but I can't see where
> that is explicitly declared/defined. After 20 or so it quits.
>
>
> grep redi nginx.conf
>
> rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
>
> rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
>
> rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
>
> rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
>
> rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
>
>
> grep rewr nginx.conf
>
> rewrite_log on;
>
> rewrite ^(.*) https://www.paulbeard.org$1 permanent;
>
> rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last;
>
> rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
>
> rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
>
> rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
>
> #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
>
> #rewrite ^/.well-known/host-meta.json
> /public.php?service=host-meta-json last;
>
> rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
>
> rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
>
> rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
>
> and I see traffic being logged so this is partly an nginx mystery and a
> Safari bug. Firefox has the same issue.
>
> I also don't understand why this breaks the php interpreter:
> rewrite ^(.*) https://www.paulbeard.org$1 permanent;
>
> Ideally, the redirect would push the request to the www. listener and all
> the work would get done there. But that doesn't seem to be the case.
>
> Almost to the point where I copy in the last known-good config and see
> where I am but that doesn't seem to make much difference. Occasionally it
> will work but not consistently over time.
>
Resolved by making the certificates and hosts/stanzas match the DNS
records. The unadorned host/domain name gets the "logic" in the config file
and CNAME www redirects to that. I guess Safari caught up with my
lazy/short-sighted thinking.
--
Paul Beard / www.paulbeard.org/