From b73ffd88ab43f5b0a848e90147ae325eb9d40309 Mon Sep 17 00:00:00 2001
From: Gilles Filippini <pini@pini.fr>
Date: Tue, 2 Jun 2020 19:50:39 +0000
Subject: [PATCH 1/3] Improve acme-challenge handling

so that there is no need anymore for the Let's Encrypt companion to fiddle
with vhosts nginx configuration.
---
 nginx.tmpl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index ae9639b..2282b64 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -239,9 +239,14 @@ upstream {{ $upstream_name }} {
 {{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{ $cert := (coalesce $certName $vhostCert) }}
 
-{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+{{ $is_https := (ne $https_method "nohttps") }}
 
 {{ if $is_https }}
+{{/* No cert? But we do want HTTPS! Let's fallback on the nginx default one.
+     And set up acme-challenge so that Let's Encrpyt can do its job */}}
+{{ $cert := coalesce $cert "default" }}
+{{/* Very same reasoning as above */}}
+{{ $cert := when (and (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) $cert "default" }}
 
 {{ if eq $https_method "redirect" }}
 server {

From f1baeda5d4bdc92f5a7419c99da3f4135229cbd3 Mon Sep 17 00:00:00 2001
From: Gilles Filippini <pini@pini.fr>
Date: Wed, 3 Jun 2020 10:14:08 +0000
Subject: [PATCH 2/3] Additional acme-challenge fix

For the case where HTTPS_METHOD=noredirect.
---
 nginx.tmpl | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/nginx.tmpl b/nginx.tmpl
index 2282b64..8bb79b9 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -355,6 +355,16 @@ server {
 	{{ if eq $network_tag "internal" }}
 	# Only allow traffic from internal clients
 	include /etc/nginx/network_internal.conf;
+	{{ else }}
+		{{ if (eq $https_method "noredirect") }}
+	location /.well-known/acme-challenge/ {
+		auth_basic off;
+		allow all;
+		root /usr/share/nginx/html;
+		try_files $uri =404;
+		break;
+	}
+		{{ end }}
 	{{ end }}
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}

From 537334f3db527bcacc5275ad8e86151de3c0e816 Mon Sep 17 00:00:00 2001
From: Gilles Filippini <pini@pini.fr>
Date: Wed, 3 Jun 2020 12:25:57 +0000
Subject: [PATCH 3/3] Log reasonning when falling back on default certificate

---
 nginx.tmpl | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index 8bb79b9..a5866ba 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -244,8 +244,14 @@ upstream {{ $upstream_name }} {
 {{ if $is_https }}
 {{/* No cert? But we do want HTTPS! Let's fallback on the nginx default one.
      And set up acme-challenge so that Let's Encrpyt can do its job */}}
+{{ if (eq $cert "") }}
+# WARNING: No certificate found - Using 'default' as fallback
+{{ else }}
+    {{ if (not (and (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)))) }}
+# WARNING: Certificate '{{ $cert }}' doesn't exist yet - Falling back on 'default'
+    {{ end }}
+{{ end }}
 {{ $cert := coalesce $cert "default" }}
-{{/* Very same reasoning as above */}}
 {{ $cert := when (and (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) $cert "default" }}
 
 {{ if eq $https_method "redirect" }}