Noticed via https://hackernewstitles.netlify.com/
Of course that's a thing.
Note that using variables implies that a certificate will be loaded for each SSL handshake, and this may have a negative impact on performance.
What if your ACME client is updating the certificate and private key when an nginx connection comes in?
You can't atomically update both files, right? So nginx will potentially see a mismatched key and certificate?
I hope it's guarded by SIGHUP, like sibling comment suggests.
It only needs to update the certificate, a single operation, which can be done atomically. Certificates are also renewed ahead of time so a previous connection still having the old cert is not an issue.
open takes a file path and gives you back a fd that doesn't know anything about fs paths (it tracks the underlying inode).
Thus, nginx may open(key) before the directory is renamed, and open(cert) afterwards. The first fd is now pointing to the old key, while the second fd points to the new cert.
Another comment pointed out though that most of the time you only need to update the cert, and not the key. So it's mostly a moot issue..
Edit: it does. Just use that instead of messing with separate files
$hostname = ../../etc/some/secret
 - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#vari...