From a6b4b9ae520c4af0809d274c05266f950674231c Mon Sep 17 00:00:00 2001 From: Sebastian Klemke <3669903+packet23@users.noreply.github.com> Date: Mon, 31 Jan 2022 07:36:23 +0100 Subject: [PATCH 1/4] Removed ssl_trusted_certificate configuration setting from nginx. Resolves an nginx startup issue when letsencrypt or mail-letsencrypt is enabled. Fixes #2199 --- core/nginx/conf/tls.conf | 1 - towncrier/newsfragments/2199.bugfix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 towncrier/newsfragments/2199.bugfix diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf index f663bfd2..4372c5af 100644 --- a/core/nginx/conf/tls.conf +++ b/core/nginx/conf/tls.conf @@ -3,7 +3,6 @@ ssl_certificate_key {{ TLS[1] }}; {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} ssl_certificate {{ TLS[2] }}; ssl_certificate_key {{ TLS[3] }}; -ssl_trusted_certificate /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem; {% endif %} ssl_session_timeout 1d; ssl_session_tickets off; diff --git a/towncrier/newsfragments/2199.bugfix b/towncrier/newsfragments/2199.bugfix new file mode 100644 index 00000000..94d28888 --- /dev/null +++ b/towncrier/newsfragments/2199.bugfix @@ -0,0 +1 @@ +Removed `ssl_trusted_certificate` configuration setting from nginx. Fixes an issue with nginx when letsencrypt or mail-letsencrypt is used. From 68ff6c83378cfd6dd68e6d4cc03807617331b421 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 31 Jan 2022 11:18:21 +0100 Subject: [PATCH 2/4] Use ISRG_ROOT_X1 as DST_ROOT is not available --- core/nginx/conf/tls.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf index 4372c5af..0ed832ed 100644 --- a/core/nginx/conf/tls.conf +++ b/core/nginx/conf/tls.conf @@ -3,6 +3,7 @@ ssl_certificate_key {{ TLS[1] }}; {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} ssl_certificate {{ TLS[2] }}; ssl_certificate_key {{ TLS[3] }}; +ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem {% endif %} ssl_session_timeout 1d; ssl_session_tickets off; From f6ebf9fda2d4bcff67afb5283d7d3916853850ae Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 31 Jan 2022 11:19:00 +0100 Subject: [PATCH 3/4] Update tls.conf --- core/nginx/conf/tls.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf index 0ed832ed..3970ed33 100644 --- a/core/nginx/conf/tls.conf +++ b/core/nginx/conf/tls.conf @@ -3,7 +3,7 @@ ssl_certificate_key {{ TLS[1] }}; {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} ssl_certificate {{ TLS[2] }}; ssl_certificate_key {{ TLS[3] }}; -ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem +ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem; {% endif %} ssl_session_timeout 1d; ssl_session_tickets off; From 1e6fa13203b7d97b83b2a82c772bd376f7840851 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 31 Jan 2022 11:19:39 +0100 Subject: [PATCH 4/4] Update 2199.bugfix --- towncrier/newsfragments/2199.bugfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/towncrier/newsfragments/2199.bugfix b/towncrier/newsfragments/2199.bugfix index 94d28888..e7ee3fb5 100644 --- a/towncrier/newsfragments/2199.bugfix +++ b/towncrier/newsfragments/2199.bugfix @@ -1 +1 @@ -Removed `ssl_trusted_certificate` configuration setting from nginx. Fixes an issue with nginx when letsencrypt or mail-letsencrypt is used. +Switch from DST_ROOT_X3 to ISRG_X1 as alpine is not shipping the former anymore