nginx: allow overriding SSL trusted certificates when using ACME

Some ACME providers (like Buypass) are using a different certificate
to sign OCSP responses than for server certificates. Therefore,
sslTrustedCertificate should be provided by the user and we need to
allow that.
This commit is contained in:
Vincent Bernat 2021-06-21 00:02:53 +02:00
parent fd26f351b5
commit 85209382c1
4 changed files with 15 additions and 2 deletions

View file

@ -841,6 +841,15 @@
version of zfs.
</para>
</listitem>
<listitem>
<para>
Nginx will use the value of
<literal>sslTrustedCertificate</literal> if provided for a
virtual host, even if <literal>enableACME</literal> is set.
This is useful for providers not using the same certificate to
sign OCSP responses and server certificates.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View file

@ -213,3 +213,5 @@ pt-services.clipcat.enable).
- The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up.
- Zfs: `latestCompatibleLinuxPackages` is now exported on the zfs package. One can use `boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;` to always track the latest compatible kernel with a given version of zfs.
- Nginx will use the value of `sslTrustedCertificate` if provided for a virtual host, even if `enableACME` is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.

View file

@ -22,7 +22,9 @@ let
} // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) {
sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${certName}.directory}/key.pem";
sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null
then vhostConfig.sslTrustedCertificate
else "${certs.${certName}.directory}/chain.pem";
})
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;

View file

@ -145,7 +145,7 @@ with lib;
sslTrustedCertificate = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/root.cert";
example = "\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
description = "Path to root SSL certificate for stapling and client certificates.";
};