From 85209382c1c4c9553e7d4fcb90cfa97c122545b2 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Mon, 21 Jun 2021 00:02:53 +0200 Subject: [PATCH] nginx: allow overriding SSL trusted certificates when using ACME Some ACME providers (like Buypass) are using a different certificate to sign OCSP responses than for server certificates. Therefore, sslTrustedCertificate should be provided by the user and we need to allow that. --- .../doc/manual/from_md/release-notes/rl-2111.section.xml | 9 +++++++++ nixos/doc/manual/release-notes/rl-2111.section.md | 2 ++ nixos/modules/services/web-servers/nginx/default.nix | 4 +++- .../modules/services/web-servers/nginx/vhost-options.nix | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index d5bccd21735e..27175564e9d0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -841,6 +841,15 @@ version of zfs. + + + Nginx will use the value of + sslTrustedCertificate if provided for a + virtual host, even if enableACME is set. + This is useful for providers not using the same certificate to + sign OCSP responses and server certificates. + + diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 54347750a678..8596cea10d7e 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -213,3 +213,5 @@ pt-services.clipcat.enable). - The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up. - Zfs: `latestCompatibleLinuxPackages` is now exported on the zfs package. One can use `boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;` to always track the latest compatible kernel with a given version of zfs. + +- Nginx will use the value of `sslTrustedCertificate` if provided for a virtual host, even if `enableACME` is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates. diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index ebb3c38d6c25..136811ada420 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -22,7 +22,9 @@ let } // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) { sslCertificate = "${certs.${certName}.directory}/fullchain.pem"; sslCertificateKey = "${certs.${certName}.directory}/key.pem"; - sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem"; + sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null + then vhostConfig.sslTrustedCertificate + else "${certs.${certName}.directory}/chain.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index bc18bcaa7b34..bbf4ccb01c8c 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -145,7 +145,7 @@ with lib; sslTrustedCertificate = mkOption { type = types.nullOr types.path; default = null; - example = "/var/root.cert"; + example = "\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; description = "Path to root SSL certificate for stapling and client certificates."; };