dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #127606 from vincentbernat/fix/nginx-override-ssl-certs

Browse Source 
nginx: allow overriding SSL trusted certificates when using ACME
This commit is contained in:
Martin Weinelt 2021-08-08 16:43:27 +02:00 committed by GitHub
commit 23e60ba325
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
View File

@ -841,6 +841,15 @@
version of zfs. version of zfs.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Nginx will use the value of
<literal>sslTrustedCertificate</literal> if provided for a
virtual host, even if <literal>enableACME</literal> is set.
This is useful for providers not using the same certificate to
sign OCSP responses and server certificates.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
</section> </section>

2
nixos/doc/manual/release-notes/rl-2111.section.md
View File

@ -213,3 +213,5 @@ pt-services.clipcat.enable).
- The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up. - The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up.
- Zfs: `latestCompatibleLinuxPackages` is now exported on the zfs package. One can use `boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;` to always track the latest compatible kernel with a given version of zfs. - Zfs: `latestCompatibleLinuxPackages` is now exported on the zfs package. One can use `boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;` to always track the latest compatible kernel with a given version of zfs.
- Nginx will use the value of `sslTrustedCertificate` if provided for a virtual host, even if `enableACME` is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.

4
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -22,7 +22,9 @@ let
} // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) { } // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) {
sslCertificate = "${certs.${certName}.directory}/fullchain.pem"; sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${certName}.directory}/key.pem"; sslCertificateKey = "${certs.${certName}.directory}/key.pem";
sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem"; sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null
then vhostConfig.sslTrustedCertificate
else "${certs.${certName}.directory}/chain.pem";
}) })
) cfg.virtualHosts; ) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6; enableIPv6 = config.networking.enableIPv6;

2
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -145,7 +145,7 @@ with lib;
sslTrustedCertificate = mkOption { sslTrustedCertificate = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
example = "/var/root.cert"; example = "\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
description = "Path to root SSL certificate for stapling and client certificates."; description = "Path to root SSL certificate for stapling and client certificates.";
}; };