From b73ffd88ab43f5b0a848e90147ae325eb9d40309 Mon Sep 17 00:00:00 2001
From: Gilles Filippini <pini@pini.fr>
Date: Tue, 2 Jun 2020 19:50:39 +0000
Subject: [PATCH] Improve acme-challenge handling

so that there is no need anymore for the Let's Encrypt companion to fiddle
with vhosts nginx configuration.
---
 nginx.tmpl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index ae9639b..2282b64 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -239,9 +239,14 @@ upstream {{ $upstream_name }} {
 {{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{ $cert := (coalesce $certName $vhostCert) }}
 
-{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+{{ $is_https := (ne $https_method "nohttps") }}
 
 {{ if $is_https }}
+{{/* No cert? But we do want HTTPS! Let's fallback on the nginx default one.
+     And set up acme-challenge so that Let's Encrpyt can do its job */}}
+{{ $cert := coalesce $cert "default" }}
+{{/* Very same reasoning as above */}}
+{{ $cert := when (and (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) $cert "default" }}
 
 {{ if eq $https_method "redirect" }}
 server {