Reverse proxy: inconsistent behavior for default certificate #1354
Description
When a certificate other than the system’s self-signed one (e.g., a Let's Encrypt certificate) is set as the default in the Certificate page, the firewall administration page (port 9090 and 443) correctly uses it.
However, reverse proxy services do not honor this setting and instead fall back to the "_lan" self-signed certificate.
This inconsistency can cause confusion for users who expect the same certificate to be consistently applied across both the administration page and reverse proxy services
Steps to reproduce
- Obtain a Let's Encrypt certificate
- Set as default for the system
- Create a Reverse Proxy, and set the certificate as "Default Certificate"
Expected behavior
Both the administration interface (port 9090, 443) and the reverse proxy services should consistently use the certificate designated as "default."
Actual behavior
The firewall administration interface uses the correct "default" certificate (ie. Let's Encrypt one).
The reverse proxy instead uses the self-signed "_lan" certificate, if the "Default Certificate" is selected.
Additionl information
root@nsec8-dev:~# uci show nginx._lan
nginx._lan=server
nginx._lan.listen='443 ssl default_server' '[::]:443 ssl default_server'
nginx._lan.server_name='_lan'
nginx._lan.uci_manage_ssl='custom'
nginx._lan.ssl_certificate='/etc/ssl/acme/my.domain.com.fullchain.crt'
nginx._lan.ssl_certificate_key='/etc/ssl/acme/my.domain.com.key'
nginx._lan.ssl_session_cache='shared:SSL:32k'
nginx._lan.ssl_session_timeout='64m'
nginx._lan.access_log='syslog:server=unix:/dev/log,nohostname'
nginx._lan.error_log='syslog:server=unix:/dev/log,nohostname'
nginx._lan.include='conf.d/*.locations' 'conf.d/_lan[.]proxy'
nginx.ns_e186068c.server_name='my.otherdomain.com'
nginx.ns_e186068c.ssl_certificate='/etc/nginx/conf.d/_lan.crt'
nginx.ns_e186068c.ssl_certificate_key='/etc/nginx/conf.d/_lan.key'
nginx.ns_e186068c.uci_description='My other reverse proxy'