nginx: use fullchain.pem for ssl_trusted_certificate
Some ACME clients do not generate full.pem, which is the same as fullchain.pem + the certificate key (key.pem), which is not necessary for verifying OCSP staples.
This commit is contained in:
parent
5b316ed476
commit
83c9b6ee39
@ -16,11 +16,11 @@ let
|
|||||||
} // (optionalAttrs vhostConfig.enableACME {
|
} // (optionalAttrs vhostConfig.enableACME {
|
||||||
sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
|
sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
|
||||||
sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
|
sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
|
||||||
sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem";
|
sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
|
||||||
}) // (optionalAttrs (vhostConfig.useACMEHost != null) {
|
}) // (optionalAttrs (vhostConfig.useACMEHost != null) {
|
||||||
sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
|
sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
|
||||||
sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
|
sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
|
||||||
sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem";
|
sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
|
||||||
})
|
})
|
||||||
) cfg.virtualHosts;
|
) cfg.virtualHosts;
|
||||||
enableIPv6 = config.networking.enableIPv6;
|
enableIPv6 = config.networking.enableIPv6;
|
||||||
|
Loading…
Reference in New Issue
Block a user