From 7d12628208b9652f80d042e32ff4d266a7db9eb5 Mon Sep 17 00:00:00 2001
From: bossm8 <91630231+bossm8@users.noreply.github.com>
Date: Fri, 8 Mar 2024 21:32:40 +0100
Subject: [PATCH] [mTLS] Fix acme verfication when mTLS and Client CN
 verification is enabled (#11062)

---
 rootfs/etc/nginx/template/nginx.tmpl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index d58be2880..381fc134c 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -985,8 +985,10 @@ stream {
 
         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
-        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
-            return 403 "client certificate unauthorized";
+        location ~ ^/(?!(\.well-known/acme-challenge)) {
+            if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
+                return 403 "client certificate unauthorized";
+            }
         }
         {{ end }}
         {{ end }}