New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nginx: allow using existing ACME certificate #33900
Conversation
When a domain has a lot of subdomains, it is quite easy to hit the rate limit: https://letsencrypt.org/docs/rate-limits/ Instead you can define the certificate manually in `security.acme.certs` and list the subdomains in the `extraDomains` option.
@@ -194,7 +197,7 @@ let | |||
${concatMapStringsSep "\n" listenString redirectListen} | |||
|
|||
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; | |||
${optionalString vhost.enableACME acmeLocation} | |||
${acmeLocation} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While it probably doesn't hurt having that there shouldn't it depend on (vhost.enableACME || vhost.useACMEHost != null)
like the other parts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not understand what you mean. Unless (vhost.enableACME || vhost.useACMEHost != null)
is true, the variable will contain an empty string. I chose to move the condition back to acmeLocation
definition in order to reduce duplication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are right. I see that now.
cc @fpletz |
Okayed by globin on IRC. |
@@ -174,7 +177,7 @@ let | |||
|
|||
redirectListen = filter (x: !x.ssl) defaultListen; | |||
|
|||
acmeLocation = '' | |||
acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of acmeLocation
when useACMEHost != null
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I actually have no idea if it is needed. I probably just kept it in case Let’s Encrypt runs the challenge on all subdomains in the certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Necessary to allow challenges to be reachable for HTTP-01, not necessary when using security.acme.certs.<cert>.dnsProvider
. See #245737
Motivation for this change
When a domain has a lot of subdomains, it is quite easy to hit the rate limit. Instead you can define the certificate manually in
security.acme.certs
and list the subdomains in theextraDomains
option.Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)