nginx-util: how to use custom certificate instead of self-signed for LAN?

[dengqf6]

Maintainer: @Ansuel @peter-stadler Environment: OpenWrt snapshot

Description: I got a certificate from Let's Encrypt and tried to replace the default self-signed certificate with it. But the changes to /etc/nginx/conf.d/_lan.* gets reverted after restarting nginx

[peter-stadler]

The idea is to have the _lan server just locally and create different /etc/nginx/conf.d/${FQDN}.conf files for other domains; Let's Encrypt and other CAs will only sign real domains …

Unfortunately it is not possible to replace the _lan certificate with one that is valid less than 13 months (the self-signed is valid for 3 years and checked annually). So creating symlinks for /etc/nginx/conf.d/_lan.{crt,key} to the Let's Encrypt certificate and key will not solve your problem. I am sorry for that.

For now, I see the following possibilities:

1. Both _lan and your domain have their own certificate and configuration, there are six files: /etc/nginx/conf.d/_lan.{crt,key,conf} the Let's Encrypt certificate with key for your domain and /etc/nginx/conf.d/${FQDN}.conf.
2. Rename the _lan.conf e.g. to _my_lan.conf (and create an empty _lan.conf such that it is not re-created by a package upgrade for now) then replacing the directives for the Let's Encrypt certificates should work.

Please, be aware that in the initial configuration the _lan server will listen on local addresses only and so other servers have to listen on the local addresses, too, if you want to reach them from LAN (you can include '/var/lib/nginx/lan_ssl.listen'; for that)

---

In the new version the configuration is changed only by invoking nginx-util [add_ssl|del_ssl] (not when starting nginx as it could happen now) and it will be more flexible, too; the _lan server will be a part of the UCI config, namely:

config server '_lan'
    list uci_listen_locally '443 ssl default_server'
    option server_name '_lan'
    list include 'conf.d/*.locations'
    option uci_manage_ssl 'self-signed'
    option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
    option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
    option ssl_session_cache 'shared:SSL:32k'
    option ssl_session_timeout '64m'
    option access_log 'off; # logd openwrt'

There you would set the options ssl_certificate and ssl_certificate_key to the location of the Let's Encrypt certificates and uci_manage_ssl to something else than 'self-signed' (e.g. to 'acme'). The latter is needed, such that the certificate is not replaced with a new self-signed one, when it is valid less than 13 months.