NGINX for LuCI and Reverse Proxy not using Acme.sh-generated certificates

Hello there!

This is my first time running OpenWRT, so apologies if I missed something obvious.

I'm trying to deploy LuCI alongside several other services using port to subdomain reverse proxy routing via NGINX, and at the moment I'm getting stuck on the SSL certificate side of the equation.

LuCI is able to run correctly with the default NGINX location and configuration files, but seems not to be using the certificate from Acme.sh when I try to open LuCI from within NGINX, though I can tell it's valid since the same certificate runs without any issues under uHTTPd when I stop NGINX and enable it from the console.

The structure I'd like to follow is to have the reverse proxy listening on ports 80 and 443 for both IPv4 and IPv6 connections, and then assigning the different services I have in Docker and the like to subdomains relating to their name, such as LuCI being openwrt.example.com and BubbleUPNP being bubbles.example.com and so forth, while blocking access to LuCI from outside the LAN group, but leaving everything else available.

As far as I have understood from the documentation, as long as the Docker container either exposes the port or subdirectory correctly on startup, all I'd have to do would be to point a .conf file to the exposed element and restart the service, but I'm not sure whether I should just point the domain and the _lan locations to the certificates or if I'm being all around wrong on this in the first place.

I'll attach my configuration files just to be sure, but please ask if I got any details missing.

/etc/config/nginx
config main 'global'
        option uci_enable 'true'

config server '_lan'
        list listen '443 ssl default_server'
        list listen '[::]:443 ssl default_server'
        option server_name '_lan'
        list include 'restrict_locally'
        list include 'conf.d/*.locations'
        option uci_manage_ssl 'self-signed'
        option ssl_certificate '/etc/acme/example.com

/example.com.cer'
        option ssl_certificate_key '/etc/acme/example.com/example.com.key'
        option ssl_session_cache 'shared:SSL:32k'
        option ssl_protocols 'TLSv1 TLSv1.1 TLSv1.2'
        option ssl_session_timeout '64m'
        option access_log 'off; # logd openwrt'

config server '_redirect2ssl'
        list listen '80'
        list listen '[::]:80'
        option server_name '_redirect2ssl'
        option return '302 https://$host$request_uri'

config server 'example_com'
        list listen '443 ssl'
        list listen '[::]:443 ssl'
        option server_name 'example.com'
        list include 'conf.d/example.com.locations'
        option ssl_certificate '/etc/acme/example.com/example.com.cer'
        option ssl_certificate_key '/etc/acme/example.com/example.com.key'
        option ssl_session_cache 'shared:SSL:32k'
        option ssl_session_timeout '64m'
/etc/nginx/uci.conf
# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx

worker_processes auto;

user root;

events {}

http {
        access_log off;
        server_names_hash_bucket_size 128;
        server_names_hash_max_size 256;
        log_format openwrt
                '$request_method $scheme://$host$request_uri => $status'
                ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

        include mime.types;
        default_type application/octet-stream;
        sendfile on;

        client_max_body_size 128M;
        large_client_header_buffers 2 1k;

        gzip on;
        gzip_vary on;
        gzip_proxied any;

        root /www;

        server { #see uci show 'nginx._lan'
                listen 443 ssl default_server;
                listen [::]:443 ssl default_server;
                server_name _lan;
                include restrict_locally;
                include conf.d/*.locations;
                ssl_certificate /etc/acme/example.com/example.com.cer;
                ssl_certificate_key /etc/acme/example.com/example.com.key;
                ssl_session_cache shared:SSL:32k;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_session_timeout 64m;
                access_log off; # logd openwrt;
        }

        server { #see uci show 'nginx._redirect2ssl'
                listen 80;
                listen [::]:80;
                server_name _redirect2ssl;
                return 302 https://$host$request_uri;
        }

        server { #see uci show 'nginx.example_com'
                listen 443 ssl;
                listen [::]:443 ssl;
                server_name example.com;
                include conf.d/example.com.locations;
                ssl_certificate /etc/acme/example.com/example.com.cer;
                ssl_certificate_key /etc/acme/example.com/example.com.key;
                ssl_session_cache shared:SSL:32k;
                ssl_session_timeout 64m;
        }

        include conf.d/*.conf;
}
/etc/nginx/conf.d/bubbleupnp.conf
server {
        listen 443;
        listen [::]:443;

        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;

        location 127.0.0.1:58051 {
                    proxy_pass https://bubbles.example.com;
  }
}
/etc/nginx/conf.d/luci.locations
location /cgi-bin/luci {
                index  index.html;
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
                uwsgi_modifier1 9;
                uwsgi_pass unix:////var/run/luci-webui.socket;
}
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
                uwsgi_modifier1 9;
                uwsgi_pass unix:////var/run/luci-cgi_io.socket;
}

location /luci-static {
                error_log stderr crit;
}

location /ubus {
        ubus_interpreter;
        ubus_socket_path /var/run/ubus/ubus.sock;
        ubus_parallel_req 2;
}

The issue appears to be mostly related to NGINX than OpenWrt.
Also it's too specific, so it makes difficult for anyone to help you unless they use a similar setup.
Try to isolate the problem and split the large issue into smaller ones if possible.
Simplify the scenario by discarding unrelated parts.
Increase the log level verbosity and/or enable debugging.

1 Like