Also this:
server {
if ($host = app.setpad.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.setpad.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = setpad.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
}
That looks like dormant code. The redirect on port 80 (HTTP) goes to some domain name that is not yours. So, I am extremely confident it is at your WP Engine service.
In any case, you don't have to delete those lines if you don't want. Yes, go ahead with:
rm /etc/letsencrypt/renewal/setpad.ca.conf
certbot delete --cert-name setpad.ca-0001
certbot delete --cert-name setpad.ca-0002
Note: We can make a new cert for setpad that actually works if we need to 
Not unless you copied them from the Certbot folders. You could check dates and sizes of the files.
The things we are deleting are a cert that expired almost 2 years ago, a cert you got just today (the wildcard) and a completely broken cert profile.
There is little harm from getting rid of those even if some other service used them. We would need to fix them anyway if the expired cert was copied elsewhere.
Done!
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/app.setpad.ca.conf
Simulating renewal of an existing certificate for app.setpad.ca
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/app.setpad.ca/fullchain.pem (success)
But then I guess we have next steps?
Yes, let's check your renew with
certbot renew --dry-run
Done. See the update to the Chris Farley gif post
And this:
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: app.setpad.ca
Serial Number: 3331feeef637eed228efcebd78e3267e4ec
Key Type: RSA
Domains: app.setpad.ca
Expiry Date: 2024-02-16 11:19:57+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/app.setpad.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/app.setpad.ca/privkey.pem
good. Certs looking good
Now, what's wrong with the actual HTTPS connection to app.setpad.ca ?
curl -i https://app.setpad.ca
curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
The Certbot renew for app uses --nginx plugin so your nginx must be able to reload okay. You may need to check your nginx error log for hints about this.
We could also have you post entire output of this
sudo nginx -T
By the way, your nginx 1.10 is out of service for like 7 years now
I can upgrade Nginx to 1.18 if you are ok with it.
There is one recurring error in the mysql error log but it doesn't seem triggered when I curl to it. Actually it seemed to have stopped an hour ago:
2024-01-07 14:25:43 163 [Warning] Aborted connection 163 to db: 'unconnected' user: 'unauthenticated' host: 'ec2-3-82-92-41.compute-1.amazonaws.com' (This connection closed normally without authentication)
Is it ok to post the full nginx -T output here?
Yes, unless you have some unusual private info there (passwords in the clear)
Was there anything in nginx error log? The mysql error doesn't look related to nginx to me.
Did https to that domain ever work since you upgraded to Debian 11? I am not certain I tested HTTPS to it - was more focused just on the certs and your other domain working through Cloudflare/WP Engine.
Sorry. Wrong log. Here are the last 3 messages in the nginx error log:
2024/01/07 15:53:17 [crit] 8237#8237: *15 SSL_do_handshake() failed (SSL: error:14201044:SSL routines:tls_choose_sigalg:internal error) while SSL handshaking, client: 172.104.25.248, server: 0.0.0.0:443
2024/01/07 16:07:35 [crit] 8237#8237: *61 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 170.64.128.28, server: 0.0.0.0:443
2024/01/07 16:07:36 [crit] 8237#8237: *65 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 170.64.128.28, server: 0.0.0.0:443
HTTPS must have worked prior to the upgrade, otherwise some clients would have displayed unsecured signals.
Does this test gives any more info?:
# openssl s_client -connect app.setpad.ca:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = app.setpad.ca
verify return:1
---
Certificate chain
0 s:CN = app.setpad.ca
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgISAzMf7u9jfu0ijvzr144yZ+TsMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzExMTgxMTE5NThaFw0yNDAyMTYxMTE5NTdaMBgxFjAUBgNVBAMT
DWFwcC5zZXRwYWQuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj
T9hsSz9Gi2ZfhuS42N7e2KpzyigR2cW6vGMSBtgf0ESYtHA+ZMnR/xDkQQ0dXLOG
/Ct5Q2KlZNU400W9iNe2CuziIAWROZZQEJQX1wfWRwxuYHWdUmOhNYsayCiZHhxc
9woQ6n+d37a7lM0EaSX+cSqHotvHF74M+cZrwNDH2rMsVQWVubvjs/PsnlV2KK7S
kNVzZ2bBWjTE80fNYybSyY0c9Ql9sEZODrd3Uh77GX3UsDWHtOq1OHYUEALcS2hx
nsloigkCDwjLjSHfNLbTsh6JLcvlNhpDO/rJM66z1VbKduBxm+mHexigUY5KReIt
zOH7BsZKifbHkF6KmkSTAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFE4rH65Y9HCeyWNAmO5oSJ7W7LWtMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
MBgGA1UdEQQRMA+CDWFwcC5zZXRwYWQuY2EwEwYDVR0gBAwwCjAIBgZngQwBAgEw
ggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwA7U3d1Pi25gE6LMFsG/kA7Z9hPw/TH
vQANLXJv4frUFwAAAYviX5pqAAAEAwBIMEYCIQDVUvVSZsPzfTY3c36jgxrhlIfr
YTq2LIqUoTEqMKieWAIhAN8F3+pLOXSngmA1uSrCQ4PD2QjsEMSUTtyUBTqAiBuq
AHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGL4l+aswAABAMA
RzBFAiEAhbjFMd/9kBaKIxtueUbxSi86rYJEFvDv/m93pQ78TZACIEwieAUk3+iK
+AGIitf8AA5B0kbKMWTWQUR/HJOkbrerMA0GCSqGSIb3DQEBCwUAA4IBAQCa53Bu
jFaYgnkSvL3bbfUfw/fFDDBUMhj3THsJ5x4BytY/Psm8MsJbXx34TseVWyezzGvA
5sVDICQ+7FJXIta5u3Of3C3dstfgH35y8YsFz7yvFirX6x5BMWVIgEg7EVo9GHQQ
yLnkOehw1Tx3q57m3LsIE129JdNbN4Utu/AHm0oA7VquBAU+r28LUMQS2BGzs6J0
46NXV0xPO3CVUgG4K2neOdnFE+U+UlfSLRAS0zeFEfqIxQtYRhwu6D2IKvHDGzTJ
+4gmAetntem6AF6Qdnz6FJYFNsLQzg1VlG/hge45wuScP4vtETfTk4mlwHzF0T1J
HN8bLbnxN5tpwhgD
-----END CERTIFICATE-----
subject=CN = app.setpad.ca
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4512 bytes and written 385 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7ECC43005A5D528F1FC9FB5D9236A6C5B276EE3CEE05AB60EFC7FDCD6458FA8F
Session-ID-ctx:
Resumption PSK: 9805785B4FA959FEA5A83C00D7C80711F3275D9B1171A7381DF6787B89A08291125083087448A99BBB9212D56783E124
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 1c 02 73 c0 d8 72 ed c0-d0 3e 00 1b 83 bf 5d 1e ..s..r...>....].
0010 - ae cd 76 68 14 33 6c f8-ae 66 5e 75 06 f5 4a df ..vh.3l..f^u..J.
0020 - 2f 50 e5 61 ca b2 3b 96-01 3a 5a 53 c0 73 76 83 /P.a..;..:ZS.sv.
0030 - 3b 96 86 7a 5e ed 52 e9-30 b3 e2 78 eb e0 8c f8 ;..z^.R.0..x....
0040 - 56 da 51 d1 53 51 41 4a-11 dc 9e 70 68 74 db f0 V.Q.SQAJ...pht..
0050 - cd 0a d9 24 6a f2 86 f9-1c 32 1d ab 99 b2 cd 2b ...$j....2.....+
0060 - 27 fe d3 cf 63 c1 38 b7-18 f7 78 6b bc b5 b1 98 '...c.8...xk....
0070 - 14 5c 1e 69 67 c8 11 3a-fa ea dd 65 a0 3f e9 c8 .\.ig..:...e.?..
0080 - 79 0d 48 52 41 32 96 1f-66 6a 9d f4 e7 23 f6 b2 y.HRA2..fj...#..
0090 - e5 a9 9e 97 df 31 7f 7c-f5 8f 9a 74 13 29 ba 6c .....1.|...t.).l
00a0 - 1d 6e bc ed be 5f 6a 76-fe e9 7d 67 7b 7a 2a 5f .n..._jv..}g{z*_
00b0 - 0b e8 80 66 84 48 bc 4a-e7 23 d3 91 58 b5 67 ba ...f.H.J.#..X.g.
00c0 - 80 e4 fd 18 49 d3 66 e2-e9 a2 3a 97 23 c4 07 fc ....I.f...:.#...
00d0 - d5 cf 22 b6 15 2b 63 a1-d4 a3 13 2f 19 dc e6 14 .."..+c..../....
Start Time: 1704661429
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /etc/nginx/blacklist; ## NEW
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/stub_status.conf:
# configuration file /etc/nginx/sites-enabled/setpad.ca:
server {
# listen 80;
# listen [::]:80;
listen 443 http2 default_server;
listen [::]:443 http2 default_server;
root /var/www/html;
index index.html;
server_name setpad.ca www.setpad.ca app.setpad.ca;
add_header headerKey "headerValue" always; # CF added - 2020-07-02
ssl on;
ssl_certificate /etc/letsencrypt/live/app.setpad.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/app.setpad.ca/privkey.pem; # managed by Certbot
location /htmlperso/ {
alias /var/www/htmlperso/;
#rewrite ^(.*)\/\/([a-zA-Z0-9-.:]*)\/?(.*)$ $2/$3 permanent;
try_files $uri $uri/ /htmlperso/index.html;
#try_files $uri $uri/ =404;
}
location / {
try_files $uri $uri/ =404;
if ($block_ua) {
return 444;
}
}
location /app {
alias /var/www/html/app;
try_files $uri $uri/ /app/index.html;
if ($block_ua) {
return 444;
}
}
location /tempFiles {
alias /home/setpad-server/fsroot/tempFiles;
}
location /recptFiles {
alias /home/setpad-server/fsroot/recptFiles;
types { application/octet-stream .pdf; }
default_type application/octet-stream;
}
location /api/ {
proxy_read_timeout 1800s;
proxy_connect_timeout 1800s;
proxy_send_timeout 1800;
send_timeout 1800;
proxy_pass https://clone1.setpad.ca:5000/;
#proxy_pass https://localhost:5000/;
proxy_http_version 1.1;
proxy_buffers 8 64k;
proxy_buffer_size 128k;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /hooks/stripe {
proxy_read_timeout 1800s;
proxy_connect_timeout 1800s;
proxy_send_timeout 1800;
send_timeout 1800;
proxy_pass https://clone1.setpad.ca:5000/hooks/stripe;
proxy_set_header X-SSL-CERT $ssl_client_cert; # attention: Deprecated in recent versions. replaced by $ssl_client_escapte_cert
}
location /hooks/sgrid {
proxy_read_timeout 1800s;
proxy_connect_timeout 1800s;
proxy_send_timeout 1800;
send_timeout 1800;
proxy_pass https://clone1.setpad.ca:5000/hooks/sgrid;
proxy_set_header X-SSL-CERT $ssl_client_cert; # attention: Deprecated in recent versions. replaced by $ssl_client_escapte_cert
}
gzip on;
gzip_types application/javascript image/* text/css;
gunzip on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/dhparams.pem;
}
server {
if ($host = app.setpad.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.setpad.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = setpad.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 0.0.0.0:80;
server_name setpad.ca www.setpad.ca app.setpad.ca;
rewrite ^ https://$host$request_uri? permanent;
}
server {
# required by Amplify
listen 127.0.0.1:80;
server_name 127.0.0.1;
location /nginx_status {
stub_status;
}
}
# configuration file /etc/nginx/blacklist:
map $http_user_agent $block_ua {
default 0;
~*(adbeat_bot|ahrefsbot|alexibot|appengine|aqua_products|archive.org_bot|archive|asterias|attackbot|b2w|backdoorbot|becomebot|blackwidow|blekkobot) 1;
~*(blowfish|botalot|builtbottough|bullseye|bunnyslippers|ccbot|cheesebot|cherrypicker|chinaclaw|chroot|clshttp|collector) 1;
~*(control|copernic|copyrightcheck|copyscape|cosmos|craftbot|crescent|curl|custo|demon) 1;
~*(disco|dittospyder|dotbot|download|downloader|dumbot|ecatch|eirgrabber|email|emailcollector) 1;
~*(emailsiphon|emailwolf|enterprise_search|erocrawler|eventmachine|exabot|express|extractor|extractorpro|eyenetie) 1;
~*(fairad|flaming|flashget|foobot|foto|gaisbot|getright|getty|getweb!|gigabot) 1;
~*(github|go!zilla|go-ahead-got-it|go-http-client|grabnet|grafula|grub|hari|harvest|hatena|antenna|hloader) 1;
~*(hmview|htmlparser|httplib|httrack|humanlinks|ia_archiver|indy|infonavirobot|interget|intraformant) 1;
~*(iron33|jamesbot|jennybot|jetbot|jetcar|joc|jorgee|kenjin|keyword|larbin|leechftp) 1;
~*(lexibot|library|libweb|libwww|linkextractorpro|linkpadbot|linkscan|linkwalker|lnspiderguy|looksmart) 1;
~*(lwp-trivial|mass|mata|midown|miixpc|mister|mj12bot|moget|msiecrawler|naver) 1;
~*(navroad|nearsite|nerdybot|netants|netmechanic|netspider|netzip|nicerspro|ninja|nutch) 1;
~*(octopus|offline|openbot|openfind|openlink|pagegrabber|papa|pavuk|pcbrowser|perl) 1;
~*(perman|picscout|propowerbot|prowebwalker|psbot|pycurl|pyq|pyth|python) 1;
~*(python-urllib|queryn|quester|radiation|realdownload|reget|retriever|rma|rogerbot|scan|screaming|frog|seo) 1;
~*(scooter|searchengineworld|searchpreview|semrush|semrushbot|semrushbot-sa|seokicks-robot|sitesnagger|smartdownload|sootle) 1;
~*(spankbot|spanner|spbot|spider|stanford|stripper|sucker|superbot|superhttp|surfbot|surveybot) 1;
~*(suzuran|szukacz|takeout|teleport|telesoft|thenomad|tocrawl|tool|true_robot|turingos) 1;
~*(twengabot|typhoeus|url_spider_pro|urldispatcher|urllib|urly|vampire|vci|voideye|warning) 1;
~*(webauto|webbandit|webcollector|webcopier|webcopy|webcraw|webenhancer|webfetch|webgo|webleacher) 1;
~*(webmasterworld|webmasterworldforumbot|webpictures|webreaper|websauger|webspider|webster|webstripper|webvac|webviewer) 1;
~*(webwhacker|webzip|webzip|wesee|wget|widow|woobot|www-collector-e|wwwoffle|xenu) 1;
}
nginx upgraded to 1.18
Yeah in that it proves the certs are okay.
And, I see what is happening ... all is as you intend ...
You send a 444 response for the block_ua thing so
# Default curl user-agent gets blocked
curl -I https://app.setpad.ca
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
# Looks like I am okay :)
curl -I https://app.setpad.ca -A "Test From Mike"
HTTP/2 200
server: nginx/1.18.0
# as are your other endpoints that don't block user-agents
curl -I https://app.setpad.ca/api/Test404
HTTP/2 404
server: nginx/1.18.0
Just a couple optional suggestions
nginx 1.18 no longer uses the ssl on; and instead has ssl on listen statements for your https server blocks. So, now like this:
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
You could change these 3
to:
listen 80;
listen [::]:80;
server_name setpad.ca www.setpad.ca app.setpad.ca;
return 404;
You already redirect valid requests to app to https. So, any weird requests are also being redirected. Better to just give them a 404. Certbot would set it up this way if you were doing this fresh with the --nginx plugin like you are.
You are listening on IPv6 for port 443 so you should for port 80 too. Just tidy to be consistent. Even if not using IPv6 yet it's an easy thing to forget about later.
FYI: You might have experienced some failures just now, as I was trying to resolve some deprecation warnings from the nginx upgrade. But when I applied the fix, your curl command started failing. So I reverted to the config causing the deprecation warnings.
Maybe check out my cross-post just before yours about some obsoleted syntax
I applied the recommended tweaks. Thank you for this!
I guess now remains automating renewals? This was working prior to the upgrade but I must have messed things up with my manual command?
The renew command itself works (we tested it with --dry-run). But, yes, good idea to check the cronjob or systemd timer is still good after fresh Debian. You would not have broken it with the one --manual request (just affected that one cert not all of them)
So, see this and make sure
https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals
Yes. The cronjob is exactly where it was prior to the upgrade.
What is the command that tells me when the next renewal is due. I'll pay attention.