nginx: allow overriding SSL trusted certificates when using ACME
Some ACME providers (like Buypass) are using a different certificate to sign OCSP responses than for server certificates. Therefore, sslTrustedCertificate should be provided by the user and we need to allow that.
This commit is contained in:
parent
fd26f351b5
commit
85209382c1
@ -841,6 +841,15 @@
|
||||
version of zfs.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Nginx will use the value of
|
||||
<literal>sslTrustedCertificate</literal> if provided for a
|
||||
virtual host, even if <literal>enableACME</literal> is set.
|
||||
This is useful for providers not using the same certificate to
|
||||
sign OCSP responses and server certificates.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -213,3 +213,5 @@ pt-services.clipcat.enable).
|
||||
- The [services.syncoid.enable](options.html#opt-services.syncoid.enable) module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running `zfs allow your-pool-name` and use `zfs unallow syncoid your-pool-name` to clean this up.
|
||||
|
||||
- Zfs: `latestCompatibleLinuxPackages` is now exported on the zfs package. One can use `boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;` to always track the latest compatible kernel with a given version of zfs.
|
||||
|
||||
- Nginx will use the value of `sslTrustedCertificate` if provided for a virtual host, even if `enableACME` is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.
|
||||
|
@ -22,7 +22,9 @@ let
|
||||
} // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) {
|
||||
sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
|
||||
sslCertificateKey = "${certs.${certName}.directory}/key.pem";
|
||||
sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
|
||||
sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null
|
||||
then vhostConfig.sslTrustedCertificate
|
||||
else "${certs.${certName}.directory}/chain.pem";
|
||||
})
|
||||
) cfg.virtualHosts;
|
||||
enableIPv6 = config.networking.enableIPv6;
|
||||
|
@ -145,7 +145,7 @@ with lib;
|
||||
sslTrustedCertificate = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
example = "/var/root.cert";
|
||||
example = "\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
description = "Path to root SSL certificate for stapling and client certificates.";
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user