[solved] ACME (Let’s Encrypt) with luci-ssl-nginx

Cylac · January 27, 2021, 2:24pm

Hi,

I'm trying to get ACME working with NGINX and I'm running in a small snag. I have luci-ssl-nginx installed and running.

The KEYs are getting generated by the acme script/process, however the acme script (using the LUCI app) doesn't seem to apply the changes to the nginx config files. When I ran a debug it said it couldn't find /etc/nginx/nginx.conf (something like that). I checked and that file doesn't exist.

Is there another config I'm supposed to do to make this work? I've never really used nginx in the past as I was using uhttpd.

Thanks

Cylac · January 27, 2021, 7:47pm

so I was able to somewhat get this going by decoding (trying to understand) what was written on this page: [OpenWrt Wiki] Nginx webserver

I believe I have everything configured properly now, however whenever I try and start nginx I get the error message
daemon.err nginx_init: 2021/01/27 14:34:06 [emerg] 18347#0: could not build server_names_hash, you should increase server_names_hash_bucket_size: 32

which is self explanatory. I just don't know where to set this value!

This is my /etc/config/nginx file:

config main 'global'
	option uci_enable 'true'

config server '_lan'
	list listen '443 ssl default_server'
	list listen '[::]:443 ssl default_server'
	option server_name '_lan'
	list include 'restrict_locally'
	list include 'conf.d/*.locations'
	option uci_manage_ssl 'self-signed'
	option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
	option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
	option ssl_session_cache 'shared:SSL:32k'
	option ssl_session_timeout '64m'
	option access_log 'off; # logd openwrt'

config server '_redirect2ssl'
	list listen '80'
	list listen '[::]:80'
	option server_name '_redirect2ssl'
	option return '302 https://$host$request_uri'

config server 'myHomeNetworkTMPname_duckdns_org'
	list listen '443 ssl'
	list listen '[::]:443 ssl'
	option ssl_certificate '/etc/acme/myHomeNetworkTMPname.duckdns.org/fullchain.cer'
	option ssl_certificate_key '/etc/acme/myHomeNetworkTMPname.duckdns.org/myHomeNetworkTMPname.duckdns.org.key'
	option ssl_session_cache 'shared:SSL:32k'
	option ssl_session_timeout '64m'
	option server_name 'myHomeNetworkTMPname.duckdns.org'

any help would be greatly appreciated !

Cylac · January 27, 2021, 8:58pm

well.. baby steps.. finally found 1 piece of documentation stating I can modify uci.conf.template
So I was able to add "server_names_hash_bucket_size 64;"

On to my next issue.. now I get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" when I try to visit my site with a browser. Any ideas?

uci show 'nginx.myHomeNetworkTMPname_duckdns_org'

nginx.myHomeNetworkTMPname_duckdns_org=server
nginx.myHomeNetworkTMPname_duckdns_org.listen='443 ssl' '[::]:443 ssl'
nginx.myHomeNetworkTMPname_duckdns_org.ssl_certificate='/etc/acme/myHomeNetworkTMPname.duckdns.org/fullchain.cer'
nginx.myHomeNetworkTMPname_duckdns_org.ssl_certificate_key='/etc/acme/myHomeNetworkTMPname.duckdns.org/myHomeNetworkTMPname.duckdns.org.key'
nginx.myHomeNetworkTMPname_duckdns_org.ssl_session_cache='shared:SSL:32k'
nginx.myHomeNetworkTMPname_duckdns_org.ssl_session_timeout='64m'
nginx.myHomeNetworkTMPname_duckdns_org.server_name='myHomeNetworkTMPname.duckdns.org'

Thanks

Cylac · January 28, 2021, 3:55am

well I guess I solved it myself.. lol

this line wasn't mentioned anywhere on the wiki site.. but obviously it was needed in my case.

option ssl_protocols 'TLSv1 TLSv1.1 TLSv1.2'

not sure what I have to do to get acme to automatically renew my certs now.. but I guess I'll eventually figure that out too

stadler · January 28, 2021, 7:42pm

If you like to edit the wiki, feel free. I will look to adapt the acme package when I have spare time.

Nontheless acme should update the certificates already, you can look if acme is in /etc/crontabs/root and get the debug/error infos by logread ...

Cylac · February 3, 2021, 8:15pm

I will try and update the wiki with the additional info

As for the ACME updating automatically, I do see it run on occasion in my log files.
The only ERROR I saw initially was that it couldn't find /etc/nginx/nginx.conf
I'll see what happens when it's time for my cert to renew itself. (the LUCI app should have the option to FORCE renew)

Thanks!

stadler · February 5, 2021, 9:17pm

I made now PRs for acme and uacme ...

Some comments on the rest although it works:

I am not sure why you did need to set ssl_protocols 'TLSv1 TLSv1.1 TLSv1.2' as it should be the default value since https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols ...
For server_names_hash it could be better to increase server_names_hash_max_size instead (according to https://nginx.org/en/docs/hash.html).
The intention would be to not modify the uci.conf.template file, instead create a file ending with .conf in the directory /etc/nginx/conf.d/ (all those files will be included by default); server parts and their config (e.g. ssl_* directives) can be setup or in this directory or with UCI (I tried to describe this in the wiki) ...

Cylac · February 8, 2021, 2:47pm

I'll try those things out and see how it goes! Thanks!

system · February 15, 2021, 9:17pm

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.