FEATURE: Add Let's Encrypt template using the nginx ACME module#1053
Draft
xfalcox wants to merge 1 commit into
Draft
FEATURE: Add Let's Encrypt template using the nginx ACME module#1053xfalcox wants to merge 1 commit into
xfalcox wants to merge 1 commit into
Conversation
Adds a new web.letsencrypt-nginx.ssl template as an alternative to the existing acme.sh-based one. The nginx ACME module (built into the base image alongside ngx_brotli) handles certificate issuance and renewal natively via http-level directives, removing the need for the acme.sh download and the configure-letsencrypt/letsencrypt shell scripts. The existing web.letsencrypt.ssl template remains the default so current setups are unaffected.
xfalcox
force-pushed
the
feature/letsencrypt-nginx-module
branch
from
b4e8e85 to
ccb111a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
templates/web.letsencrypt-nginx.ssl.template.ymlas an alternative to the existingweb.letsencrypt.ssl.template.yml. It uses the nginx ACME module for native Let's Encrypt support — noacme.shdownload, noconfigure-letsencrypt/letsencryptshell scripts, no separate port 80 nginx config for HTTP-01 validation.nginx/nginx-acmemodule to the base image build (image/base/install-nginx) so the directives are available out of the box.web.letsencrypt.ssl.template.yml(acme.sh) remains and is unchanged; users opt in to the new template explicitly.How it works
The new template:
/etc/nginx/conf.d/letsencrypt-acme.confat the http level withresolver,acme_issuer letsencrypt { ... }, andacme_shared_zone.outlets/server/20-https.confwithacme_certificate letsencrypt;plusssl_certificate $acme_certificate;/ssl_certificate_key $acme_certificate_key;so the cert paths come from the module's runtime state instead of/shared/ssl/.LETSENCRYPT_ACCOUNT_EMAILis optional. If set, it is passed as acontact mailto:line in the issuer config.HTTP-01 challenges work without any extra location config: the module registers its challenge handler at
NGX_HTTP_POST_READ_PHASE, which runs before location matching and before the existinglocation ~ /.well-knownblock inweb.ssl.template.ymlcan take effect.Test plan
image/base) and confirm nginx builds successfully with--add-module=/tmp/nginx-acme(requires Rust toolchain in the parentdiscourse/rubyimage — assumed present from YJIT; verify on first build).web.letsencrypt-nginx.sslintemplates:and a realDISCOURSE_HOSTNAMEpointing to the host./shared/letsencrypt-nginxcontains the persisted account/issuer state.force_httpsis appended to/var/www/discourse/config/discourse.conf.