···
<section><title>Using ACME certificates in Nginx</title>
70
-
<para>In practice ACME is mostly used for retrieval and renewal of
71
-
certificates that will be used in a webserver like Nginx. A configuration for
72
-
Nginx that uses the certificates from ACME for
73
-
<literal>foo.example.com</literal> will look similar to:
70
+
<para>NixOS supports fetching ACME certificates for you by setting
71
+
<literal>enableACME = true;</literal> in a virtualHost config. We
72
+
first create self-signed placeholder certificates in place of the
73
+
real ACME certs. The placeholder certs are overwritten when the ACME
74
+
certs arrive. For <literal>foo.example.com</literal> the config would
77
-
security.acme.certs."foo.example.com" = {
78
-
webroot = config.security.acme.directory + "/acme-challenge";
79
-
email = "foo@example.com";
82
-
postRun = "systemctl restart nginx.service";
84
-
services.nginx.httpConfig = ''
86
-
server_name foo.example.com;
90
-
location /.well-known/acme-challenge {
91
-
root /var/www/challenges;
95
-
return 301 https://$host$request_uri;
100
-
server_name foo.example.com;
102
-
ssl_certificate ${config.security.acme.directory}/foo.example.com/fullchain.pem;
103
-
ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem;
104
-
root /var/www/foo.example.com/;
82
+
"foo.example.com" = {
109
-
<para>Now Nginx will try to use the certificates that will be retrieved by ACME.
110
-
ACME needs Nginx (or any other webserver) to function and Nginx needs
111
-
the certificates to actually start. For this reason the ACME module
112
-
automatically generates self-signed certificates that will be used by Nginx to
113
-
start. After that Nginx is used by ACME to retrieve the actual ACME
114
-
certificates. <literal>security.acme.preliminarySelfsigned</literal> can be
115
-
used to control whether to generate the self-signed certificates.
93
+
<para>At the moment you still have to restart Nginx after the ACME
94
+
certs arrive.</para>
pyrox.dev