Custom TLS certificates gone after upgrade

ptselios · March 22, 2024, 7:18am

I just installed the latest firmware for Flint 2.
I haven’t tested the firmware itself, but I am either blinded from other posts, or something is wrong with the upgrade process.

So, I have installed my own certificates under the /etc/ngninx. And since I wanted to be sure that the certificates and the key will not be overwritten by an upgrade process, I actually installed them with my own names and made the nginx.cer and nginx.key to be soft links to the actual files.

Now, they are gone! And actually, the whole /etc/nginx directory is overwritten since my files are not there! Which means that the upgrade process will not be smooth in the future as well.

Thus:

How do we install our custom certificates so as they are not overwritten by the upgrade process?
I think it’s wrong to replace a target directory. Devs should take into account the possibility that we have modified those directories!

admon · March 22, 2024, 7:32am

The easiest way to make them permanent is to add them to /etc/sysupgrade.conf
You have two options:

Use them without your own name and add each certificate path to /etc/sysupgrade.conf or use your own names and add the whole /etc/nginx to /etc/sysupgrade.conf

The last option could create issues whenever GL changes nginx config in upgrade, but it should work fine mostly.

ptselios · March 22, 2024, 10:03am

Lovely!
The idea is to keep intervention as little as possible. So, use the same names and add them to sysupgrade.conf

Many many thanks.

P.S. I still think it’s wrong to replace the whole directory during an upgrade.

SpitzAX3000 · March 22, 2024, 11:34am

No, it isn’t! The devs are constantly optimizing and improving Nginx’s performance and security.