teh
Franz Pletz
parent
1753d8c878
commit
a878365b77
@ -67,52 +67,30 @@ options for the <literal>security.acme</literal> module.</para>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section><title>Using ACME certificates in Nginx</title>
|
<section><title>Using ACME certificates in Nginx</title>
|
||||||
<para>In practice ACME is mostly used for retrieval and renewal of
|
<para>NixOS supports fetching ACME certificates for you by setting
|
||||||
certificates that will be used in a webserver like Nginx. A configuration for
|
<literal>enableACME = true;</literal> in a virtualHost config. We
|
||||||
Nginx that uses the certificates from ACME for
|
first create self-signed placeholder certificates in place of the
|
||||||
<literal>foo.example.com</literal> will look similar to:
|
real ACME certs. The placeholder certs are overwritten when the ACME
|
||||||
|
certs arrive. For <literal>foo.example.com</literal> the config would
|
||||||
|
look like.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<programlisting>
|
<programlisting>
|
||||||
security.acme.certs."foo.example.com" = {
|
services.nginx = {
|
||||||
webroot = config.security.acme.directory + "/acme-challenge";
|
enable = true;
|
||||||
email = "foo@example.com";
|
virtualHosts = {
|
||||||
user = "nginx";
|
"foo.example.com" = {
|
||||||
group = "nginx";
|
forceSSL = true;
|
||||||
postRun = "systemctl restart nginx.service";
|
enableACME = true;
|
||||||
};
|
locations."/" = {
|
||||||
services.nginx.httpConfig = ''
|
root = "/var/www";
|
||||||
server {
|
};
|
||||||
server_name foo.example.com;
|
};
|
||||||
listen 80;
|
};
|
||||||
listen [::]:80;
|
}
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
root /var/www/challenges;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
server_name foo.example.com;
|
|
||||||
listen 443 ssl;
|
|
||||||
ssl_certificate ${config.security.acme.directory}/foo.example.com/fullchain.pem;
|
|
||||||
ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem;
|
|
||||||
root /var/www/foo.example.com/;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>Now Nginx will try to use the certificates that will be retrieved by ACME.
|
<para>At the moment you still have to restart Nginx after the ACME
|
||||||
ACME needs Nginx (or any other webserver) to function and Nginx needs
|
certs arrive.</para>
|
||||||
the certificates to actually start. For this reason the ACME module
|
|
||||||
automatically generates self-signed certificates that will be used by Nginx to
|
|
||||||
start. After that Nginx is used by ACME to retrieve the actual ACME
|
|
||||||
certificates. <literal>security.acme.preliminarySelfsigned</literal> can be
|
|
||||||
used to control whether to generate the self-signed certificates.
|
|
||||||
</para>
|
|
||||||
</section>
|
</section>
|
||||||
</chapter>
|
</chapter>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user