Dovresti controllare anche l’ECC, ma penso che vada tutto bene.
Sì, è così che tutto dovrebbe funzionare.
OK. Siamo a posto. Grazie ancora per la tua perseveranza. Ho contrassegnato il tuo post che evidenzia il problema come soluzione.
Ho già chiesto in un altro post se abbia senso mantenere il certificato rsa obsoleto, spero che venga presto rimosso.
C’è qualcosa che non va: ho appena eliminato i vecchi certificati e ne ho creati di nuovi con la seguente riscrittura, ma il certificato non è stato creato anche per www:
cat /var/discourse/containers/app.yml
after_ssl:
# indicare a letsencrypt quali certificati aggiuntivi ottenere
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--fullchainpath/
to: "-d www.rpg-foren.com --fullchainpath"
global: true
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
}
########################################################
# Certificato RSA
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Riprovare a emettere il certificato se qualcosa va storto
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
--keypath /shared/ssl/rpg-foren.com.key \
--reloadcmd "sv reload nginx"
########################################################
# Certificato ECDSA
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Riprovare a emettere il certificato se qualcosa va storto
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
--keypath /shared/ssl/rpg-foren.com_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com_ecc.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f0:89:90:30:4f:d5:9b:40:00:9e:96:9a:d7:d0:dc:78:d5
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E6
Validity
Not Before: Sep 23 15:23:00 2024 GMT
Not After : Dec 22 15:22:59 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3a:65:89:b0:9b:07:c2:ef:f7:43:f8:f7:2e:e5:
8e:f8:47:76:19:cc:e6:98:50:e4:18:b7:9b:e0:f0:
60:49:ed:06:5c:66:d0:7b:79:07:84:0f:75:36:4b:
70:98:1d:76:6b:15:20:8f:c5:6d:43:cc:b8:12:a1:
eb:5a:d8:0f:7f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
7F:CC:80:95:73:18:45:96:CD:73:16:0D:69:CA:4F:5E:54:D4:C1:13
X509v3 Authority Key Identifier:
93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
Authority Information Access:
OCSP - URI:http://e6.o.lencr.org
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:
D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
Timestamp : Sep 23 16:21:30.838 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F4:3A:0D:45:49:BE:EB:7D:9F:03:C1:
36:53:77:49:23:6F:E4:57:2B:68:01:5A:31:EB:DB:B4:
1D:1B:30:EA:44:02:21:00:A1:DA:11:1B:2B:59:BB:86:
BF:0B:DC:F6:45:9A:DB:77:DB:A4:DF:1B:4D:74:6A:51:
9A:2A:A0:80:CC:E8:F3:CF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Sep 23 16:21:30.896 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0A:B1:11:58:B1:41:F3:B4:90:13:55:9C:
E2:AD:D1:B8:0B:E9:15:A1:C9:4C:5C:AC:CC:1D:22:46:
6F:FC:64:C4:02:20:4A:EA:C9:AD:99:E3:0A:86:6C:3E:
80:EF:21:D8:DE:A4:83:EA:B6:E6:27:96:C1:98:92:4A:
7B:F0:87:38:41:20
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:89:8d:24:d5:88:52:bb:f8:9e:db:d8:4c:ef:
33:c6:ea:c0:92:60:5f:42:55:e9:47:4f:2c:07:02:94:6d:d0:
32:14:8a:46:6b:c9:b1:24:e4:ff:34:32:d1:0b:d3:7c:df:02:
31:00:8c:2f:42:67:62:c0:4c:63:9d:8e:52:21:9a:a8:76:e5:
7d:a3:27:22:f2:1b:25:07:d0:86:44:ae:26:33:8b:70:7b:b2:
cc:e5:85:30:a6:1c:8f:b1:51:d2:cf:d1:61:0d
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:c8:d5:4a:f1:f4:9b:4f:23:b0:17:be:25:27:97:9b:2c:c2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R10
Validity
Not Before: Sep 23 15:22:54 2024 GMT
Not After : Dec 22 15:22:53 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c9:ac:0e:03:50:58:be:48:e5:57:4f:86:8c:2c:
01:da:4d:08:c2:1f:e2:02:c4:73:98:f6:e7:04:a2:
68:ce:44:21:3e:f8:d7:cb:f8:bd:1c:ba:8f:a4:8b:
11:61:c9:8e:49:ef:a1:88:15:f3:41:1a:41:7f:80:
6a:fb:48:64:b2:2e:d6:79:e2:d0:b1:a1:bc:6b:91:
ec:76:96:8a:37:f4:24:14:d9:e9:a4:89:2a:49:c1:
bb:f1:26:98:15:4f:8e:e9:20:5f:bb:64:02:f9:4f:
93:e2:35:45:15:a8:66:c0:a9:92:97:5f:7e:f8:bd:
65:86:dc:05:9f:46:c8:b7:59:e1:1f:cc:c7:8c:ad:
fa:e3:fb:27:1f:92:45:16:45:9d:ab:4d:5c:29:5d:
7b:96:cc:26:62:69:c3:44:42:e1:7f:de:e3:32:b9:
4e:d2:86:c7:a5:e0:c8:40:bf:b8:5d:d9:fc:6f:70:
23:7b:07:23:0b:88:6b:6f:07:3b:18:76:f9:45:8b:
31:4c:9c:7f:34:d7:36:1f:59:51:42:8a:d8:d7:08:
d9:6b:72:f2:d1:9e:44:16:dd:3b:07:48:ca:a9:ee:
7c:fd:98:b1:4c:99:a4:71:62:c4:eb:ee:bc:d8:46:
c6:39:7c:ce:a5:4c:1d:0d:9e:ca:9b:00:46:e3:46:
0a:14:2a:19:f9:2e:5a:3e:98:f8:81:ac:72:c9:d7:
17:08:0b:40:e7:14:26:dd:87:15:45:6d:58:c1:61:
d3:02:e8:4d:84:70:e8:73:ba:ea:ae:47:5b:fe:e4:
58:5d:43:c7:eb:d9:17:1c:bc:1d:77:85:ac:74:6c:
a5:4d:b3:58:98:22:be:cc:dc:cb:90:49:90:c6:d5:
9a:4b:dd:13:bf:71:2e:f7:f5:d3:67:e8:54:66:cf:
e4:d4:24:78:5f:87:d1:2a:c5:fa:1e:53:f8:d1:f0:
5b:29:d1:fb:0b:21:24:cf:4e:73:da:c3:0b:d2:b9:
cd:75:5a:70:12:ca:e5:fb:37:ca:07:46:7a:41:5d:
5f:3b:7b:e4:91:7a:3d:6f:1f:3a:90:a9:6d:47:3f:
27:3e:9b:a0:e5:da:d2:22:e5:71:37:69:8b:0c:c1:
42:05:2c:ba:70:d9:8e:d2:af:25:e1:64:4e:e2:3b:
2d:a1:a8:14:f1:bb:18:0e:17:83:8c:04:ee:67:34:
5f:bf:c1:00:53:3c:da:9d:74:9b:5b:69:6d:f5:dd:
d6:0a:4f:03:66:a2:25:79:8c:cb:8e:ed:0d:c3:06:
38:44:ad:36:60:07:19:7e:09:86:c1:d3:f2:08:e8:
72:ca:7d:c8:c7:48:2d:39:7b:17:5c:a8:b9:80:dd:
73:57:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FE:E1:BC:4C:C3:11:44:83:80:48:E6:F4:AB:B8:DE:AE:93:4F:2E:8F
X509v3 Authority Key Identifier:
BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
Authority Information Access:
OCSP - URI:http://r10.o.lencr.org
CA Issuers - URI:http://r10.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Sep 23 16:21:24.622 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:BD:C6:D8:48:E3:CD:EA:A7:41:E4:27:
FE:34:0C:47:A6:1F:78:6F:61:70:4F:39:B5:BE:22:2F:
39:E1:41:CE:53:02:20:69:1E:20:E0:42:25:40:76:D4:
B0:66:08:15:D7:9C:CC:4F:BC:A4:A2:1E:C6:36:0E:0B:
25:F5:7B:2D:30:85:3A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Timestamp : Sep 23 16:21:24.621 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:9E:CF:69:F9:27:E3:B0:4E:7D:DC:2D:
13:99:CD:8D:8C:B2:99:0B:B1:CA:82:83:07:2B:91:F7:
1B:71:EB:7B:ED:02:21:00:91:C6:62:90:C3:ED:ED:07:
62:1A:EC:43:02:C6:FE:F3:87:6A:0E:9C:C3:D7:54:1B:
69:3F:3F:FF:31:00:F6:6D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
51:76:6c:49:3c:86:ea:b0:14:35:ca:85:63:27:de:76:ce:5c:
f2:17:83:28:f8:55:a3:31:f2:4a:32:ae:35:13:35:4b:95:54:
de:be:d7:b7:23:04:cf:2e:5b:e7:4f:cc:0b:90:58:fe:f8:14:
1a:16:a6:ec:1d:18:ec:36:e3:9a:dd:47:b6:e7:66:c9:6d:30:
cf:ab:d3:2d:9f:c6:c8:65:67:23:c1:3d:2e:b3:0c:c8:62:9c:
7a:ee:5d:f1:97:ea:b8:2e:a3:fb:3c:89:14:60:1e:e4:b7:9c:
8c:3c:af:18:aa:c2:68:06:aa:55:9b:cc:0c:5f:c4:ac:90:d1:
a2:c0:13:ed:71:0f:de:8d:0b:a8:1e:c1:1b:ea:38:b7:75:db:
66:b6:fc:68:16:7c:3c:11:5a:e6:f0:37:bc:26:83:ae:43:68:
68:71:d7:da:02:15:ef:50:5b:3e:6a:b3:6a:f7:7a:1f:a0:fc:
f3:f3:c7:43:2c:a2:e0:59:ba:1b:5c:7c:1b:03:7c:52:d1:6e:
2b:db:a2:dc:2d:69:9c:36:fe:b5:98:68:9f:67:8a:61:c8:8c:
6b:0e:b7:59:dc:92:92:d2:84:99:37:e7:ed:2f:47:a9:2a:a9:
b4:47:99:eb:64:8a:f2:57:09:16:d7:03:99:a9:fc:c2:1e:f8:
61:3a:a7:23
Ho appena ricreati manualmente come descritto qui.