También tendrías que revisar el ecc, pero creo que todo encaja.
Sí, así es como todo debería funcionar.
OK. Estamos listos. Gracias de nuevo por tu persistencia. He marcado tu publicación que señala el problema como la solución.
Ya pregunté en otra publicación si tiene sentido mantener el certificado rsa obsoleto, espero que se elimine pronto.
Algo no está del todo bien. Acabo de eliminar los certificados antiguos y he creado nuevos con la siguiente reescritura, pero el certificado tampoco se ha creado para www:
cat /var/discourse/containers/app.yml
after_ssl:
# decirle a letsencrypt qué certificados adicionales obtener
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--fullchainpath/
to: "-d www.rpg-foren.com --fullchainpath"
global: true
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
}
########################################################
# Certificado RSA
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Intentar emitir el certificado nuevamente si algo sale mal
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
--keypath /shared/ssl/rpg-foren.com.key \
--reloadcmd "sv reload nginx"
########################################################
# Certificado ECDSA
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Intentar emitir el certificado nuevamente si algo sale mal
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
--keypath /shared/ssl/rpg-foren.com_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com_ecc.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f0:89:90:30:4f:d5:9b:40:00:9e:96:9a:d7:d0:dc:78:d5
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E6
Validity
Not Before: Sep 23 15:23:00 2024 GMT
Not After : Dec 22 15:22:59 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3a:65:89:b0:9b:07:c2:ef:f7:43:f8:f7:2e:e5:
8e:f8:47:76:19:cc:e6:98:50:e4:18:b7:9b:e0:f0:
60:49:ed:06:5c:66:d0:7b:79:07:84:0f:75:36:4b:
70:98:1d:76:6b:15:20:8f:c5:6d:43:cc:b8:12:a1:
eb:5a:d8:0f:7f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
7F:CC:80:95:73:18:45:96:CD:73:16:0D:69:CA:4F:5E:54:D4:C1:13
X509v3 Authority Key Identifier:
93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
Authority Information Access:
OCSP - URI:http://e6.o.lencr.org
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:
D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
Timestamp : Sep 23 16:21:30.838 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F4:3A:0D:45:49:BE:EB:7D:9F:03:C1:
36:53:77:49:23:6F:E4:57:2B:68:01:5A:31:EB:DB:B4:
1D:1B:30:EA:44:02:21:00:A1:DA:11:1B:2B:59:BB:86:
BF:0B:DC:F6:45:9A:DB:77:DB:A4:DF:1B:4D:74:6A:51:
9A:2A:A0:80:CC:E8:F3:CF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Sep 23 16:21:30.896 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0A:B1:11:58:B1:41:F3:B4:90:13:55:9C:
E2:AD:D1:B8:0B:E9:15:A1:C9:4C:5C:AC:CC:1D:22:46:
6F:FC:64:C4:02:20:4A:EA:C9:AD:99:E3:0A:86:6C:3E:
80:EF:21:D8:DE:A4:83:EA:B6:E6:27:96:C1:98:92:4A:
7B:F0:87:38:41:20
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:89:8d:24:d5:88:52:bb:f8:9e:db:d8:4c:ef:
33:c6:ea:c0:92:60:5f:42:55:e9:47:4f:2c:07:02:94:6d:d0:
32:14:8a:46:6b:c9:b1:24:e4:ff:34:32:d1:0b:d3:7c:df:02:
31:00:8c:2f:42:67:62:c0:4c:63:9d:8e:52:21:9a:a8:76:e5:
7d:a3:27:22:f2:1b:25:07:d0:86:44:ae:26:33:8b:70:7b:b2:
cc:e5:85:30:a6:1c:8f:b1:51:d2:cf:d1:61:0d
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:c8:d5:4a:f1:f4:9b:4f:23:b0:17:be:25:27:97:9b:2c:c2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R10
Validity
Not Before: Sep 23 15:22:54 2024 GMT
Not After : Dec 22 15:22:53 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c9:ac:0e:03:50:58:be:48:e5:57:4f:86:8c:2c:
01:da:4d:08:c2:1f:e2:02:c4:73:98:f6:e7:04:a2:
68:ce:44:21:3e:f8:d7:cb:f8:bd:1c:ba:8f:a4:8b:
11:61:c9:8e:49:ef:a1:88:15:f3:41:1a:41:7f:80:
6a:fb:48:64:b2:2e:d6:79:e2:d0:b1:a1:bc:6b:91:
ec:76:96:8a:37:f4:24:14:d9:e9:a4:89:2a:49:c1:
bb:f1:26:98:15:4f:8e:e9:20:5f:bb:64:02:f9:4f:
93:e2:35:45:15:a8:66:c0:a9:92:97:5f:7e:f8:bd:
65:86:dc:05:9f:46:c8:b7:59:e1:1f:cc:c7:8c:ad:
fa:e3:fb:27:1f:92:45:16:45:9d:ab:4d:5c:29:5d:
7b:96:cc:26:62:69:c3:44:42:e1:7f:de:e3:32:b9:
4e:d2:86:c7:a5:e0:c8:40:bf:b8:5d:d9:fc:6f:70:
23:7b:07:23:0b:88:6b:6f:07:3b:18:76:f9:45:8b:
31:4c:9c:7f:34:d7:36:1f:59:51:42:8a:d8:d7:08:
d9:6b:72:f2:d1:9e:44:16:dd:3b:07:48:ca:a9:ee:
7c:fd:98:b1:4c:99:a4:71:62:c4:eb:ee:bc:d8:46:
c6:39:7c:ce:a5:4c:1d:0d:9e:ca:9b:00:46:e3:46:
0a:14:2a:19:f9:2e:5a:3e:98:f8:81:ac:72:c9:d7:
17:08:0b:40:e7:14:26:dd:87:15:45:6d:58:c1:61:
d3:02:e8:4d:84:70:e8:73:ba:ea:ae:47:5b:fe:e4:
58:5d:43:c7:eb:d9:17:1c:bc:1d:77:85:ac:74:6c:
a5:4d:b3:58:98:22:be:cc:dc:cb:90:49:90:c6:d5:
9a:4b:dd:13:bf:71:2e:f7:f5:d3:67:e8:54:66:cf:
e4:d4:24:78:5f:87:d1:2a:c5:fa:1e:53:f8:d1:f0:
5b:29:d1:fb:0b:21:24:cf:4e:73:da:c3:0b:d2:b9:
cd:75:5a:70:12:ca:e5:fb:37:ca:07:46:7a:41:5d:
5f:3b:7b:e4:91:7a:3d:6f:1f:3a:90:a9:6d:47:3f:
27:3e:9b:a0:e5:da:d2:22:e5:71:37:69:8b:0c:c1:
42:05:2c:ba:70:d9:8e:d2:af:25:e1:64:4e:e2:3b:
2d:a1:a8:14:f1:bb:18:0e:17:83:8c:04:ee:67:34:
5f:bf:c1:00:53:3c:da:9d:74:9b:5b:69:6d:f5:dd:
d6:0a:4f:03:66:a2:25:79:8c:cb:8e:ed:0d:c3:06:
38:44:ad:36:60:07:19:7e:09:86:c1:d3:f2:08:e8:
72:ca:7d:c8:c7:48:2d:39:7b:17:5c:a8:b9:80:dd:
73:57:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FE:E1:BC:4C:C3:11:44:83:80:48:E6:F4:AB:B8:DE:AE:93:4F:2E:8F
X509v3 Authority Key Identifier:
BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
Authority Information Access:
OCSP - URI:http://r10.o.lencr.org
CA Issuers - URI:http://r10.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Sep 23 16:21:24.622 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:BD:C6:D8:48:E3:CD:EA:A7:41:E4:27:
FE:34:0C:47:A6:1F:78:6F:61:70:4F:39:B5:BE:22:2F:
39:E1:41:CE:53:02:20:69:1E:20:E0:42:25:40:76:D4:
B0:66:08:15:D7:9C:CC:4F:BC:A4:A2:1E:C6:36:0E:0B:
25:F5:7B:2D:30:85:3A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Timestamp : Sep 23 16:21:24.621 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:9E:CF:69:F9:27:E3:B0:4E:7D:DC:2D:
13:99:CD:8D:8C:B2:99:0B:B1:CA:82:83:07:2B:91:F7:
1B:71:EB:7B:ED:02:21:00:91:C6:62:90:C3:ED:ED:07:
62:1A:EC:43:02:C6:FE:F3:87:6A:0E:9C:C3:D7:54:1B:
69:3F:3F:FF:31:00:F6:6D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
51:76:6c:49:3c:86:ea:b0:14:35:ca:85:63:27:de:76:ce:5c:
f2:17:83:28:f8:55:a3:31:f2:4a:32:ae:35:13:35:4b:95:54:
de:be:d7:b7:23:04:cf:2e:5b:e7:4f:cc:0b:90:58:fe:f8:14:
1a:16:a6:ec:1d:18:ec:36:e3:9a:dd:47:b6:e7:66:c9:6d:30:
cf:ab:d3:2d:9f:c6:c8:65:67:23:c1:3d:2e:b3:0c:c8:62:9c:
7a:ee:5d:f1:97:ea:b8:2e:a3:fb:3c:89:14:60:1e:e4:b7:9c:
8c:3c:af:18:aa:c2:68:06:aa:55:9b:cc:0c:5f:c4:ac:90:d1:
a2:c0:13:ed:71:0f:de:8d:0b:a8:1e:c1:1b:ea:38:b7:75:db:
66:b6:fc:68:16:7c:3c:11:5a:e6:f0:37:bc:26:83:ae:43:68:
68:71:d7:da:02:15:ef:50:5b:3e:6a:b3:6a:f7:7a:1f:a0:fc:
f3:f3:c7:43:2c:a2:e0:59:ba:1b:5c:7c:1b:03:7c:52:d1:6e:
2b:db:a2:dc:2d:69:9c:36:fe:b5:98:68:9f:67:8a:61:c8:8c:
6b:0e:b7:59:dc:92:92:d2:84:99:37:e7:ed:2f:47:a9:2a:a9:
b4:47:99:eb:64:8a:f2:57:09:16:d7:03:99:a9:fc:c2:1e:f8:
61:3a:a7:23
Ahora los he creado manualmente de nuevo según lo descrito aquí.