Bypass basic auth for letsencrypt acme requests, reload nginx after ssl renewals

jc21 · jc21 · commit 36896bcfc9d1 · 2018-03-16T10:53:50.000+10:00
diff --git a/manager/src/backend/internal/ssl.js b/manager/src/backend/internal/ssl.js
@@ -30,7 +30,11 @@ const internalSsl = {
                 .then(result => {
                     logger.info(result);
                     internalSsl.interval_processing = false;
-                    return result;
+
+                    return internalNginx.reload()
+                        .then(() => {
+                            return result;
+                        });
                 })
                 .catch(err => {
                     logger.error(err);
diff --git a/manager/src/backend/templates/proxy.conf.ejs b/manager/src/backend/templates/proxy.conf.ejs
@@ -20,14 +20,13 @@ server {
   ssl_certificate_key /etc/letsencrypt/live/<%- hostname %>/privkey.pem;
 <% } -%>
 
-<% if (typeof access_list_id !== 'undefined' && access_list_id) { -%>
-  auth_basic            "Authorization required";
-  auth_basic_user_file  /config/access/<%- access_list_id %>;
-<% } -%>
-
 <%- typeof advanced !== 'undefined' && advanced ? advanced : '' %>
 
   location / {
+    <% if (typeof access_list_id !== 'undefined' && access_list_id) { -%>
+    auth_basic            "Authorization required";
+    auth_basic_user_file  /config/access/<%- access_list_id %>;
+    <% } -%>
     <%- typeof force_ssl !== 'undefined' && force_ssl ? 'include conf.d/include/force-ssl.conf;' : '' %>
     include conf.d/include/proxy.conf;
   }
diff --git a/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf b/rootfs/etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
@@ -2,6 +2,7 @@
 # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
 # other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
 location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;
 
     # Set correct content type. According to this:
     # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
@@ -14,7 +15,7 @@ location ^~ /.well-known/acme-challenge/ {
     # there to "webroot".
     # Do NOT use alias, use root! Target directory is located here:
     # /var/www/common/letsencrypt/.well-known/acme-challenge/
-    root         /config/letsencrypt-acme-challenge;
+    root /config/letsencrypt-acme-challenge;
 }
 
 # Hide /acme-challenge subdirectory and return 404 on all requests.
