I'm trying to get ACME working with NGINX and I'm running in a small snag. I have luci-ssl-nginx installed and running.
The KEYs are getting generated by the acme script/process, however the acme script (using the LUCI app) doesn't seem to apply the changes to the nginx config files. When I ran a debug it said it couldn't find /etc/nginx/nginx.conf (something like that). I checked and that file doesn't exist.
Is there another config I'm supposed to do to make this work? I've never really used nginx in the past as I was using uhttpd.
so I was able to somewhat get this going by decoding (trying to understand) what was written on this page: [OpenWrt Wiki] Nginx webserver
I believe I have everything configured properly now, however whenever I try and start nginx I get the error message daemon.err nginx_init: 2021/01/27 14:34:06 [emerg] 18347#0: could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
which is self explanatory. I just don't know where to set this value!
This is my /etc/config/nginx file:
config main 'global'
option uci_enable 'true'
config server '_lan'
list listen '443 ssl default_server'
list listen '[::]:443 ssl default_server'
option server_name '_lan'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
config server '_redirect2ssl'
list listen '80'
list listen '[::]:80'
option server_name '_redirect2ssl'
option return '302 https://$host$request_uri'
config server 'myHomeNetworkTMPname_duckdns_org'
list listen '443 ssl'
list listen '[::]:443 ssl'
option ssl_certificate '/etc/acme/myHomeNetworkTMPname.duckdns.org/fullchain.cer'
option ssl_certificate_key '/etc/acme/myHomeNetworkTMPname.duckdns.org/myHomeNetworkTMPname.duckdns.org.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option server_name 'myHomeNetworkTMPname.duckdns.org'
well.. baby steps.. finally found 1 piece of documentation stating I can modify uci.conf.template
So I was able to add "server_names_hash_bucket_size 64;"
On to my next issue.. now I get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" when I try to visit my site with a browser. Any ideas?
I will try and update the wiki with the additional info
As for the ACME updating automatically, I do see it run on occasion in my log files.
The only ERROR I saw initially was that it couldn't find /etc/nginx/nginx.conf
I'll see what happens when it's time for my cert to renew itself. (the LUCI app should have the option to FORCE renew)
The intention would be to not modify the uci.conf.template file, instead create a file ending with .conf in the directory /etc/nginx/conf.d/ (all those files will be included by default); server parts and their config (e.g. ssl_* directives) can be setup or in this directory or with UCI (I tried to describe this in the wiki) ...