diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2024-05-10 14:04:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-10 14:04:24 +0200 |
| commit | fb382c2628b68bed48db134cb8928858fe5a5e42 (patch) | |
| tree | a2a66c635385a6238f05bf4682a5d0e593a5feeb /nixos | |
| parent | e7b8b9c165becffe857d60f610653254d4b56e1d (diff) | |
| parent | b7d060d10d6e5089c9d7f0c889845bb936c4f961 (diff) | |
Merge pull request #310452 from fpletz/nginx-acme-servername
nixos/nginx: fix reference to acme cert hostname
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/acme.nix | 32 |
2 files changed, 21 insertions, 13 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 08fab09e1e55..fd940cfe459a 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -352,7 +352,7 @@ let # The acme-challenge location doesn't need to be added if we are not using any automated # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge - acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName; + acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName; acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null) # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # We use ^~ here, so that we don't check any regexes (which could diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index d63a77fcdd23..511d3c589fae 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -99,7 +99,14 @@ serverAliases = [ "${server}-wildcard-alias.example.test" ]; useACMEHost = "example.test"; }; - }; + } // (lib.optionalAttrs (server == "nginx") { + # The nginx module supports using a different key than the hostname + different-key = vhostBaseData // { + serverName = "${server}-different-key.example.test"; + serverAliases = [ "${server}-different-key-alias.example.test" ]; + enableACME = true; + }; + }); }; # Used to determine if service reload was triggered @@ -653,20 +660,20 @@ in { webserver.succeed("systemctl restart caddy.service") check_connection_key_bits(client, "a.example.test", "384") - domains = ["http", "dns", "wildcard"] - for server, logsrc in [ - ("nginx", "journalctl -n 30 -u nginx.service"), - ("httpd", "tail -n 30 /var/log/httpd/*.log"), + common_domains = ["http", "dns", "wildcard"] + for server, logsrc, domains in [ + ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]), + ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains), ]: wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service") with subtest(f"Works with {server}"): try: switch_to(webserver, server) - # Skip wildcard domain for this check ([:-1]) - for domain in domains[:-1]: - webserver.wait_for_unit( - f"acme-finished-{server}-{domain}.example.test.target" - ) + for domain in domains: + if domain != "wildcard": + webserver.wait_for_unit( + f"acme-finished-{server}-{domain}.example.test.target" + ) except Exception as err: _, output = webserver.execute( f"{logsrc} && ls -al /var/lib/acme/acme-challenge" @@ -676,8 +683,9 @@ in { wait_for_server() - for domain in domains[:-1]: - check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") + for domain in domains: + if domain != "wildcard": + check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") for domain in domains: check_connection(client, f"{server}-{domain}.example.test") check_connection(client, f"{server}-{domain}-alias.example.test") |