Allow custom ACME servers for certificate generation

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface

https://nginxproxymanager.com

MIT License

21.7k stars 2.51k forks source link

Allow custom ACME servers for certificate generation #3518

Open Nathanwoodburn opened 6 months ago

Nathanwoodburn commented 6 months ago

Is your feature request related to a problem? Please describe.

It would be really nice to be able to add custom ACME servers to the certificate generation. For example I have an acme server that generates internal signed certificates and I currently need to upload them every time I update them.

Describe the solution you'd like

Either allow acme servers added via the web interface or maybe a config file?

Describe alternatives you've considered

Additional context

Ro-meo commented 6 months ago

Maybe as an addition : documentation how to do this manually ?

demonbane commented 5 months ago

I'd love to see this as well. I was able to connect to the console of the npm container and manually create certificates using certbot with my custom ACME server like this:

certbot certonly -d <domain> --agree-tos --no-eff-email \
--server <server_url> \
--eab-kid <kid> \
--eab-hmac-key <hmac>

But actually using them is kind of a nightmare. I have to get the files out of the container and onto my local machine just to then reupload them through the web UI. I had hoped to at least symlink the certs directly from /etc/letsencrypt to /data/custom_ssl but it looks like the web UI stores the certificates in the database and only writes them out to disk so that nginx can access them so I'm not sure that that would survive a restart. (and even if it did it would still require manually uploading a dummy cert for every domain)

demonbane commented 5 months ago

Looking at the code, it looks like npm creates /etc/letsencrypt.ini by default and it turns out you can just add the config in there and it works! I just added:

server = <url>
eab-kid = <kid>
eab-hmac-key = <hmac>

and then tried using the UI to generate a new certificate and it worked perfectly! I'd still love to see an option added to the UI to manage this, but this actually works right now which is great.

Nathanwoodburn commented 5 months ago

Does that allow multiple? For this case I have internal domains (not on a valid tld), and regular public domains. So can I set 2 acme servers?

demonbane commented 5 months ago

You would have to modify it each time (or just create two copies and swap them out between invocations). Fortunately, once the certificate is created, there's a cert-specific .conf file created in /etc/letsencrypt/renewal which does store the server name, so renewals should continue to work even if you've changed the server in the config each time.

fbender commented 5 months ago

See #1054:

I am planning to add configurable CA's to v3.

Originally posted by @jc21 in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1054#issuecomment-870213956