Commit Graph

10 Commits

Author SHA1 Message Date
Félix Baylac-Jacqué
0c0af28cd5 nixos/tests/letsencrypt: use Pebble instead of Boulder
Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.

We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.

- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched

TODO: write proper commit msg :)
2019-10-23 21:17:17 +02:00
Arian van Putten
604b7c139f Fix letsencrypt (#60219)
* nixos/acme: Fix ordering of cert requests

When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.

Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.

* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.

* Add regression test for requesting mutliple domains

* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.

* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.

* Depend on certs directly

By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.

Reason it broke before:  acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good!  We
make the dependencies more fine-grained now. this should fix that

* Remove activationDelay option

It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?

Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.

e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:

```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
2019-08-29 16:32:59 +02:00
Domen Kožar
6eacc17157
nixos tests: move common configuration into separate file
This allows tests outside nixos to use acme setup.
2018-09-24 20:07:33 +01:00
Robert Schütz
2215834789
simp_le: use python3Packages (#44476) 2018-08-05 01:17:38 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
aszlig
7b87554ca1
nixos/tests/letsencrypt: Hardcode certs and keys
In 0c7c1660f7 I have set allowSubstitutes
to false, which avoided the substitution of the certificates.

Unfortunately substitution may still happen later when the certificate
is merged with the CA bundle. So the merged CA bundle might be
substituted from a binary cache but the certificate itself is built
locally, which could result in a different certificate in the bundle.

So instead of adding just yet another workaround, I've now hardcoded all
the certificates and keys in a separate file. This also moves
letsencrypt.nix into its own directory so we don't mess up
nixos/tests/common too much.

This was long overdue and should finally make the dependency graph for
the ACME test more deterministic.

Signed-off-by: aszlig <aszlig@nix.build>
2018-07-12 02:32:46 +02:00
xeji
642bed4b3e
nixos/tests/acme: fix on i686, improve timing (#40410)
... to prevent non-deterministic failures
2018-05-13 19:59:59 +02:00
aszlig
b5fbb4f362
nixos/tests/acme: Use overridePythonAttrs
Quoting from @FRidh:

  Note overridePythonAttrs exists since 17.09. It overrides the call to
  buildPythonPackage.

While it's not strictly necessary to do this, because postPatch ends up
in drvAttrs anyway, it's probably better to use overridePythonAttrs so
we don't run into problems when the underlying implementation of
buildPythonPackage changes.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-14 23:18:52 +02:00
aszlig
01fffd94e5
nixos/tests/acme: Patch certifi with cacert
Since 67651d80bc the requests package now
depends on certifi, which in turn provides the CA root certificates that
we need to replace.

It might also be a good idea to actually patch certifi with our version
of cacert by default so that if we want to override and/or add something
we only need to do it once.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @fpletz, @k0ral, @FRidh
2017-09-13 23:16:43 +02:00
aszlig
11b3ae74e1
nixos/tests: Add a basic test for ACME
The test here is pretty basic and only tests nginx, but it should get us
started to write tests for different webservers and different ACME
implementations.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:37 +02:00