Open dengqf6 opened 4 years ago
The idea is to have the _lan
server just locally and create different /etc/nginx/conf.d/${FQDN}.conf
files for other domains; Let's Encrypt and other CAs will only sign real domains …
Unfortunately it is not possible to replace the _lan
certificate with one that is valid less than 13 months (the self-signed is valid for 3 years and checked annually). So creating symlinks for
/etc/nginx/conf.d/_lan.{crt,key}
to the Let's Encrypt certificate and key will not solve your problem. I am sorry for that.
For now, I see the following possibilities:
_lan
and your domain have their own certificate and configuration, there are six files: /etc/nginx/conf.d/_lan.{crt,key,conf}
the Let's Encrypt certificate with key for your domain and /etc/nginx/conf.d/${FQDN}.conf
._lan.conf
e.g. to _my_lan.conf
(and create an empty _lan.conf
such that it is not re-created by a package upgrade for now) then replacing the directives for the Let's Encrypt certificates should work. Please, be aware that in the initial configuration the _lan
server will listen on local addresses only and so other servers have to listen on the local addresses, too, if you want to reach them from LAN (you can include '/var/lib/nginx/lan_ssl.listen';
for that)
In the new version the configuration is changed only by invoking nginx-util [add_ssl|del_ssl]
(not when starting nginx as it could happen now) and it will be more flexible, too; the _lan
server will be a part of the UCI config, namely:
config server '_lan'
list uci_listen_locally '443 ssl default_server'
option server_name '_lan'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
There you would set the options ssl_certificate
and ssl_certificate_key
to the location of the Let's Encrypt certificates and uci_manage_ssl
to something else than 'self-signed'
(e.g. to 'acme'
). The latter is needed, such that the certificate is not replaced with a new self-signed one, when it is valid less than 13 months.
Maintainer: @Ansuel @peter-stadler Environment: OpenWrt snapshot
Description: I got a certificate from Let's Encrypt and tried to replace the default self-signed certificate with it. But the changes to
/etc/nginx/conf.d/_lan.*
gets reverted after restarting nginx