From 8f59f6fcc57803fea589fc65d587a276b9f00398 Mon Sep 17 00:00:00 2001
From: Marco Boss <marco.boss@switch.ch>
Date: Sat, 9 Mar 2024 00:02:39 +0100
Subject: [PATCH] revert mTLS location excluding acme-challenge since each
 location will match ultimately resulting in 404 for all request paths

---
 rootfs/etc/nginx/template/nginx.tmpl | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 381fc134c..d58be2880 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -985,10 +985,8 @@ stream {
 
         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
-        location ~ ^/(?!(\.well-known/acme-challenge)) {
-            if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
-                return 403 "client certificate unauthorized";
-            }
+        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
+            return 403 "client certificate unauthorized";
         }
         {{ end }}
         {{ end }}