Adds own server on port 80 for letsencrypt and redirect

core/nginx/conf/nginx.conf

@@ -34,6 +34,25 @@ http {
       ''      $scheme;
     }
 
+    {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] and not TLS_ERROR %}
+    # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
+    # 
+    server {
+      # Listen over HTTP
+      listen 80;
+      listen [::]:80;
+      {% if TLS_FLAVOR == 'letsencrypt' %}      
+      location ^~ /.well-known/acme-challenge/ {
+          proxy_pass http://127.0.0.1:8008;
+      }
+      {% endif %}
+      # redirect to https
+      location / {
+        return 301 https://$host$request_uri;
+      }
+    }
+    {% endif %}
+
     # Main HTTP server
     server {
       # Favicon stuff
@@ -48,9 +67,11 @@ http {
       set $webdav {{ WEBDAV_ADDRESS }};
       {% endif %}
 
-      # Always listen over HTTP
+      # Listen on HTTP only in kubernetes or behind reverse proxy
+      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls',  'mail' ] or TLS_ERROR %}
       listen 80;
       listen [::]:80;
+      {% endif %}
 
       # Only enable HTTPS if TLS is enabled with no error and not on kubernetes
       {% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
@@ -78,8 +99,7 @@ http {
       add_header X-XSS-Protection '1; mode=block';
       add_header Referrer-Policy 'same-origin';
 
-      # In any case, enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
-      {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
+      {% if TLS_FLAVOR == 'mail-letsencrypt' %}      
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }

towncrier/newsfragments/1564.bugfix

@@ -0,0 +1 @@
+Fixes certbot renewal