www/nginx: quick fix for trusted CAs pem

[kulikov-a]

Hi. just quick fix for troubles with trust_upstream_*.pem files after update to 1.20 with upstream tls verify enabled and trusted CAs selected

[jkellerer]

Had come up with exactly the same solution before finding this PR. Can confirm that it fixes the problem.

[kulikov-a]

@fabianfrz
thanks for watching this!
may I add #1991 to this PR? a working SNI directives can be critical for upstream verification to work. so upstream can choose the right cert on request from nginx

[folfy]

Does this fix the trust_upstream_* files not being put in place correctly?

root@gw:~ # ls -l /usr/local/etc/nginx/key/trust_upstream*
-rw------- 1 root wheel 3 Jan 23 22:07 /usr/local/etc/nginx/key/trust_upstream_5037b17e-fc0d-452a-9b59-da40823f7550.pem
-rw------- 1 root wheel 3 Jan 23 21:53 /usr/local/etc/nginx/key/trust_upstream_acc62566-fd6f-4488-8b88-a7022399cb56.pem
-rw------- 1 root wheel 3 Jan 23 22:05 /usr/local/etc/nginx/key/trust_upstream_d9229681-d046-4320-a741-276a3d7ae71e.pem

Size is 3 bytes, obviously not right, and saw some other users with that problem at the opnsense forum as well.

This broke my nginx-Server since I upgraded to OPNsense 20.7.8, had to disable upstream certificate verification for now to get it back up and running. Hope to see a fix being deployed soon :/

[folfy]

Tested it as a patch to my local installation with two trusted certificates set up - working fine and fixes the bug preventing nginx from startup (nevermind my lazyness before to further investigate your PR)

[fichtner]

Merged due to maintainer timeout, thank you! ❤️

[kulikov-a]

@fichtner
thanks!!