diff options
author | Emily <vcs@emily.moe> | 2020-03-23 20:35:16 +0000 |
---|---|---|
committer | Emily <vcs@emily.moe> | 2020-04-18 05:15:47 +0100 |
commit | d0f04c1623ae74f256ff5ced77ac78c7fe3b6abc (patch) | |
tree | 8362f0619ac0551885118b009ebb17a244853321 /nixos/tests/acme.nix | |
parent | 352e30df8a38b1b673c19de817fedca7d3d95d71 (diff) |
nixos/tests/acme: use *.test domains
Shimming out the Let's Encrypt domain name to reuse client configuration
doesn't work properly (Pebble uses different endpoint URL formats), is
recommended against by upstream,[1] and is unnecessary now that the ACME
module supports specifying an ACME server. This commit changes the tests
to use the domain name acme.test instead, and renames the letsencrypt
node to acme to reflect that it has nothing to do with the ACME server
that Let's Encrypt runs. The imports are renamed for clarity:
* nixos/tests/common/{letsencrypt => acme}/{common.nix => client}
* nixos/tests/common/{letsencrypt => acme}/{default.nix => server}
The test's other domain names are also adjusted to use *.test for
consistency (and to avoid misuse of non-reserved domain names such
as standalone.com).
[1] https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242
Co-authored-by: Yegor Timoshenko <yegortimoshenko@riseup.net>
Diffstat (limited to 'nixos/tests/acme.nix')
-rw-r--r-- | nixos/tests/acme.nix | 99 |
1 files changed, 47 insertions, 52 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 638601cd75f3..032432287bd0 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -1,5 +1,5 @@ let - commonConfig = ./common/letsencrypt/common.nix; + commonConfig = ./common/acme/client; dnsScript = {writeScript, dnsAddress, bash, curl}: writeScript "dns-hook.sh" '' #!${bash}/bin/bash @@ -16,8 +16,8 @@ in import ./make-test-python.nix { name = "acme"; nodes = rec { - letsencrypt = { nodes, lib, ... }: { - imports = [ ./common/letsencrypt ]; + acme = { nodes, lib, ... }: { + imports = [ ./common/acme/server ]; networking.nameservers = lib.mkForce [ nodes.dnsserver.config.networking.primaryIPAddress ]; @@ -45,19 +45,16 @@ in import ./make-test-python.nix { nodes.dnsserver.config.networking.primaryIPAddress ]; networking.firewall.allowedTCPPorts = [ 80 ]; - security.acme = { - server = "https://acme-v02.api.letsencrypt.org/dir"; - certs."standalone.com" = { - webroot = "/var/lib/acme/acme-challenges"; - }; + security.acme.certs."standalone.test" = { + webroot = "/var/lib/acme/acme-challenges"; }; - systemd.targets."acme-finished-standalone.com" = {}; - systemd.services."acme-standalone.com" = { - wants = [ "acme-finished-standalone.com.target" ]; - before = [ "acme-finished-standalone.com.target" ]; + systemd.targets."acme-finished-standalone.test" = {}; + systemd.services."acme-standalone.test" = { + wants = [ "acme-finished-standalone.test.target" ]; + before = [ "acme-finished-standalone.test.target" ]; }; services.nginx.enable = true; - services.nginx.virtualHosts."standalone.com" = { + services.nginx.virtualHosts."standalone.test" = { locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenges"; }; }; @@ -71,16 +68,16 @@ in import ./make-test-python.nix { # A target remains active. Use this to probe the fact that # a service fired eventhough it is not RemainAfterExit - systemd.targets."acme-finished-a.example.com" = {}; - systemd.services."acme-a.example.com" = { - wants = [ "acme-finished-a.example.com.target" ]; - before = [ "acme-finished-a.example.com.target" ]; + systemd.targets."acme-finished-a.example.test" = {}; + systemd.services."acme-a.example.test" = { + wants = [ "acme-finished-a.example.test.target" ]; + before = [ "acme-finished-a.example.test.target" ]; after = [ "nginx.service" ]; }; services.nginx.enable = true; - services.nginx.virtualHosts."a.example.com" = { + services.nginx.virtualHosts."a.example.test" = { enableACME = true; forceSSL = true; locations."/".root = pkgs.runCommand "docroot" {} '' @@ -89,16 +86,16 @@ in import ./make-test-python.nix { ''; }; - security.acme.server = "https://acme-v02.api.letsencrypt.org/dir"; + security.acme.server = "https://acme.test/dir"; specialisation.second-cert.configuration = {pkgs, ...}: { - systemd.targets."acme-finished-b.example.com" = {}; - systemd.services."acme-b.example.com" = { - wants = [ "acme-finished-b.example.com.target" ]; - before = [ "acme-finished-b.example.com.target" ]; + systemd.targets."acme-finished-b.example.test" = {}; + systemd.services."acme-b.example.test" = { + wants = [ "acme-finished-b.example.test.target" ]; + before = [ "acme-finished-b.example.test.target" ]; after = [ "nginx.service" ]; }; - services.nginx.virtualHosts."b.example.com" = { + services.nginx.virtualHosts."b.example.test" = { enableACME = true; forceSSL = true; locations."/".root = pkgs.runCommand "docroot" {} '' @@ -108,8 +105,8 @@ in import ./make-test-python.nix { }; }; specialisation.dns-01.configuration = {pkgs, config, nodes, lib, ...}: { - security.acme.certs."example.com" = { - domain = "*.example.com"; + security.acme.certs."example.test" = { + domain = "*.example.test"; dnsProvider = "exec"; dnsPropagationCheck = false; credentialsFile = with pkgs; writeText "wildcard.env" '' @@ -118,17 +115,17 @@ in import ./make-test-python.nix { user = config.services.nginx.user; group = config.services.nginx.group; }; - systemd.targets."acme-finished-example.com" = {}; - systemd.services."acme-example.com" = { - wants = [ "acme-finished-example.com.target" ]; - before = [ "acme-finished-example.com.target" "nginx.service" ]; + systemd.targets."acme-finished-example.test" = {}; + systemd.services."acme-example.test" = { + wants = [ "acme-finished-example.test.target" ]; + before = [ "acme-finished-example.test.target" "nginx.service" ]; wantedBy = [ "nginx.service" ]; }; - services.nginx.virtualHosts."c.example.com" = { + services.nginx.virtualHosts."c.example.test" = { forceSSL = true; - sslCertificate = config.security.acme.certs."example.com".directory + "/cert.pem"; - sslTrustedCertificate = config.security.acme.certs."example.com".directory + "/full.pem"; - sslCertificateKey = config.security.acme.certs."example.com".directory + "/key.pem"; + sslCertificate = config.security.acme.certs."example.test".directory + "/cert.pem"; + sslTrustedCertificate = config.security.acme.certs."example.test".directory + "/full.pem"; + sslCertificateKey = config.security.acme.certs."example.test".directory + "/key.pem"; locations."/".root = pkgs.runCommand "docroot" {} '' mkdir -p "$out" echo hello world > "$out/index.html" @@ -159,46 +156,44 @@ in import ./make-test-python.nix { client.start() dnsserver.start() - letsencrypt.wait_for_unit("default.target") + acme.wait_for_unit("default.target") dnsserver.wait_for_unit("pebble-challtestsrv.service") client.succeed( - 'curl --data \'{"host": "acme-v02.api.letsencrypt.org", "addresses": ["${nodes.letsencrypt.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a' + 'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a' ) client.succeed( - 'curl --data \'{"host": "standalone.com", "addresses": ["${nodes.acmeStandalone.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a' + 'curl --data \'{"host": "standalone.test", "addresses": ["${nodes.acmeStandalone.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a' ) - letsencrypt.start() + acme.start() acmeStandalone.start() - letsencrypt.wait_for_unit("default.target") - letsencrypt.wait_for_unit("pebble.service") + acme.wait_for_unit("default.target") + acme.wait_for_unit("pebble.service") with subtest("can request certificate with HTTPS-01 challenge"): acmeStandalone.wait_for_unit("default.target") - acmeStandalone.succeed("systemctl start acme-standalone.com.service") - acmeStandalone.wait_for_unit("acme-finished-standalone.com.target") + acmeStandalone.succeed("systemctl start acme-standalone.test.service") + acmeStandalone.wait_for_unit("acme-finished-standalone.test.target") client.wait_for_unit("default.target") - client.succeed("curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt") - client.succeed( - "curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt" - ) + client.succeed("curl https://acme.test:15000/roots/0 > /tmp/ca.crt") + client.succeed("curl https://acme.test:15000/intermediate-keys/0 >> /tmp/ca.crt") with subtest("Can request certificate for nginx service"): - webserver.wait_for_unit("acme-finished-a.example.com.target") + webserver.wait_for_unit("acme-finished-a.example.test.target") client.succeed( - "curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF 'hello world'" + "curl --cacert /tmp/ca.crt https://a.example.test/ | grep -qF 'hello world'" ) with subtest("Can add another certificate for nginx service"): webserver.succeed( "/run/current-system/specialisation/second-cert/bin/switch-to-configuration test" ) - webserver.wait_for_unit("acme-finished-b.example.com.target") + webserver.wait_for_unit("acme-finished-b.example.test.target") client.succeed( - "curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF 'hello world'" + "curl --cacert /tmp/ca.crt https://b.example.test/ | grep -qF 'hello world'" ) with subtest("Can request wildcard certificates using DNS-01 challenge"): @@ -208,9 +203,9 @@ in import ./make-test-python.nix { webserver.succeed( "/run/current-system/specialisation/dns-01/bin/switch-to-configuration test" ) - webserver.wait_for_unit("acme-finished-example.com.target") + webserver.wait_for_unit("acme-finished-example.test.target") client.succeed( - "curl --cacert /tmp/ca.crt https://c.example.com/ | grep -qF 'hello world'" + "curl --cacert /tmp/ca.crt https://c.example.test/ | grep -qF 'hello world'" ) ''; } |