Open midnightveil opened 1 year ago
Hey there - just to provide an update, this is effectively a clone of #210807 . The solution is to set the acmeRoot
for your virtual host(s) to null
, which will force disabling of the acme-challenge directory.
We may be able to add conditional logic for this in the future. Haven't quite worked out a non-breaking scenario yet but the conditional you quoted could potentially be extended to add a check for DNS-01.
Hmm, setting acmeRoot = null
; only seems to remove the root /var/lib/acme/acme-challenge
line from the nginx configuration, not the entire location {}
block.
The DNS-01 challenge & provisioning does work -- this was mostly a (minor) bug report as the HTTP-01 path is needlessly generated in the nginx config.
(I am using a wildcard cert, and not using security.acme.defaults.XXX
for setting dnsProvider settings.)
Describe the bug
Even though my certificates are provisioned using DNS-01 challenge, nginx still produces
./well-known/acme_challenge
:(it's added for
:443
as well)https://github.com/NixOS/nixpkgs/blob/5521be288c7729e1653baddce52b8450dca1a4f1/nixos/modules/services/web-servers/nginx/default.nix#L365-L380
It is enabled when
(vhost.enableACME || vhost.useACMEHost != null)
, but this is true for DNS-01 validation as well.Steps To Reproduce
Steps to reproduce the behavior:
security.acme.certs."example.com"
withdnsProvider
/credentialsFile
as in 51.5. Configuring ACME for DNS Validation.useACMEHost = "example.com"
Expected behavior
/.well-known/acme-challenge
location in nginx is absent if DNS-01 verification is used.Screenshots
n/a
Additional context
nil
Notify maintainers
@NixOS/acme
Metadata
(probably irrelevant, it's pushed with colmena)