danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
This is actually somewhat on-topic, but it's quite a way outside "normal" Free/TrueNAS usage, hence my posting here in OT.
tl;dr: Is there a straightforward way, under FreeBSD (specifically, Free/TrueNAS), to tell nginx to use a different config file than the default /usr/local/etc/nginx/nginx.conf?
Background:
@Constantin and I are pondering how we can use HTTP validation to get ACME certs for a Free/TrueNAS server. Doing it with DNS validation is relatively trivial, assuming a suitable DNS host; I've already documented that. But we both have local CAs running, and would prefer to use those with HTTP validation. In order for that to work, the web server must be able to serve certain contents from
From what I can see of the default nginx.conf file, it won't handle such a request, and experimentation confirms this--it simply redirects to the GUI login page. I could, of course, open a ticket with iX to modify nginx.conf to handle that path, but that likely wouldn't be handled very quickly, even if it got the requisite number of votes, and I lack the requisite skill to make the necessary middleware changes and do a PR. So, I'd proposed a crude, but likely effective, workaround--when renewal is required,
But now I'm messing with the original config files, and if something goes sideways, I may be locked out of the GUI altogether. It should be pretty low-risk, but... But then I remembered that lots of software lets you set a rc.conf variable for the location of the config file--so maybe instead of overwriting the nginx.conf file, I could temporarily point nginx to a different file to serve the challenge token, and then point it back to the original. That way, I never have to touch the original file.
So I took a look at the nginx rc script, and that's where I got confused. It looks like it does support multiple nginx configurations, but they're tied to "profiles"--and Google isn't helping me understand what these are in this context.
tl;dr: Is there a straightforward way, under FreeBSD (specifically, Free/TrueNAS), to tell nginx to use a different config file than the default /usr/local/etc/nginx/nginx.conf?
Background:
@Constantin and I are pondering how we can use HTTP validation to get ACME certs for a Free/TrueNAS server. Doing it with DNS validation is relatively trivial, assuming a suitable DNS host; I've already documented that. But we both have local CAs running, and would prefer to use those with HTTP validation. In order for that to work, the web server must be able to serve certain contents from
/.well-known/acme-challenge/pseudorandomstring
.From what I can see of the default nginx.conf file, it won't handle such a request, and experimentation confirms this--it simply redirects to the GUI login page. I could, of course, open a ticket with iX to modify nginx.conf to handle that path, but that likely wouldn't be handled very quickly, even if it got the requisite number of votes, and I lack the requisite skill to make the necessary middleware changes and do a PR. So, I'd proposed a crude, but likely effective, workaround--when renewal is required,
- Save a backup copy of the system's nginx.conf file
- Overwrite with a new, bare-bones one that will handle the challenge request appropriately (and, ideally, refuse anything else)
- Issue the cert
- Replace the original nginx.conf
But now I'm messing with the original config files, and if something goes sideways, I may be locked out of the GUI altogether. It should be pretty low-risk, but... But then I remembered that lots of software lets you set a rc.conf variable for the location of the config file--so maybe instead of overwriting the nginx.conf file, I could temporarily point nginx to a different file to serve the challenge token, and then point it back to the original. That way, I never have to touch the original file.
So I took a look at the nginx rc script, and that's where I got confused. It looks like it does support multiple nginx configurations, but they're tied to "profiles"--and Google isn't helping me understand what these are in this context.