From 0a34e39569c3731a09968e9b51f5e52ac3d06216 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Wed, 5 Feb 2025 23:23:35 +0100 Subject: [PATCH] docs openbsd: fix certificate acquisition on nginx --- docs/installation/openbsd_en.md | 35 +++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index a98e6022a..387b0f2ea 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -19,7 +19,8 @@ To install required packages, run the following command: # pkg_add erlang%26 elixir gmake git postgresql-server postgresql-contrib cmake libmagic libvips ``` -Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. +Pleroma requires a reverse proxy, OpenBSD has relayd in base (and is used in this guide) and packages/ports are available for nginx (www/nginx) and apache (www/apache-httpd). +Independently of the reverse proxy, [acme-client(1)](https://man.openbsd.org/acme-client) can be used to get a certificate from Let's Encrypt. #### Optional software @@ -119,7 +120,8 @@ $ MIX_ENV=prod mix ecto.migrate Note: You will need to run this step again when updating your instance to a newer version with `git pull` or `git checkout tags/NEW_VERSION`. As \_pleroma in /home/\_pleroma/pleroma, you can now run `MIX_ENV=prod mix phx.server` to start your instance. -In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct. +In another SSH session or a tmux window, check that it is working properly by running `ftp -MVo - http://127.0.0.1:4000/api/v1/instance`, you should get json output. +Double-check that the *uri* value near the bottom is your instance's domain name and the instance *title* are correct. ### Configuring acme-client @@ -176,10 +178,10 @@ http { server { ... - server_name example.tld; # Replace with your domain + server_name localhost; # Replace with your domain location /.well-known/acme-challenge { - rewrite ^/.well-known/acme-challenge/(.*) /$1 break; + rewrite ^/\.well-known/acme-challenge/(.*) /$1 break; root /var/www/acme; } } @@ -225,10 +227,32 @@ As root, copy `/home/_pleroma/pleroma/installation/pleroma.nginx` to `/etc/nginx Edit default `/etc/nginx/sites-available/pleroma.nginx` settings and replace `example.tld` with your domain: + * Uncomment the location block for `~ /\.well-known/acme-challenge` in the server block listening on port 80 + - add `rewrite ^/\.well-known/acme-challenge/(.*) /$1 break;` above the `root` location + - change the `root` location to `/var/www/acme;` * Change `ssl_trusted_certificate` to `/etc/ssl/example.tld_cert-only.crt` * Change `ssl_certificate` to `/etc/ssl/example.tld.crt` * Change `ssl_certificate_key` to `/etc/ssl/private/example.tld.key` +Remove the following `location {}` block from `/etc/nginx/nginx.conf`, that was previously added for acquiring certificates and change `server_name` back to `localhost`: + +``` +http { + ... + + server { + ... + server_name example.tld; # Change back to localhost + + # Delete this block + location /.well-known/acme-challenge { + rewrite ^/\.well-known/acme-challenge/(.*) /$1 break; + root /var/www/acme; + } + } +} +``` + Symlink the Pleroma configuration to the enabled sites: ``` @@ -241,6 +265,9 @@ Check nginx configuration syntax by running: # nginx -t ``` +Note: If the above command complains about a `conflicting server name`, check again that the `location {}` block for acquiring certificates has been removed from `/etc/nginx/nginx.conf` and that the `server_name` has been reverted back to `localhost`. +After doing so run `# nginx -t` again. + If the configuration is correct, you can now enable and reload the nginx service: ```