[mTLS] Fix acme verfication when mTLS and Client CN verification is e…

…nabled
kubernetes · Mar 4, 2024 · 33b18c3 · 33b18c3
1 parent a41f46a
commit 33b18c3
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -985,8 +985,10 @@ stream {
 
         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
-        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
-            return 403 "client certificate unauthorized";
+        location ~ ^/(?!(\.well-known/acme-challenge)) {
+            if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
+                return 403 "client certificate unauthorized";
+            }
         }
         {{ end }}
         {{ end }}