nixos/tests/acme: Hard code test certificates

The added README.md explains why this has been done.
author: Lucas Savva <lucas@m1cr0man.com> 2020-10-22 14:06:19 +0100
committer: Lucas Savva <lucas@m1cr0man.com> 2020-10-22 14:06:19 +0100
commit: dad06fb922cbfcd00bae255d3fec9d70138e419b (patch)
tree: d312d96b5d7c738e43678a426b5f8322bae3bd0d /nixos/tests/common/acme/server/README.md
parent: 89d134b3fdcbc4412f5d7cc4e391747b3f578b32 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/tests/common/acme/server/README.md b/nixos/tests/common/acme/server/README.md
new file mode 100644
index 000000000000..9de2b2c71029
--- /dev/null
+++ b/nixos/tests/common/acme/server/README.md
@@ -0,0 +1,21 @@
+# Fake Certificate Authority for ACME testing
+
+This will set up a test node running [pebble](https://github.com/letsencrypt/pebble)
+to serve ACME certificate requests.
+
+## "Snake oil" certs
+
+The snake oil certs are hard coded into the repo for reasons explained [here](https://github.com/NixOS/nixpkgs/pull/91121#discussion_r505410235).
+The root of the issue is that Nix will hash the derivation based on the arguments
+to mkDerivation, not the output. [Minica](https://github.com/jsha/minica) will
+always generate a random certificate even if the arguments are unchanged. As a
+result, it's possible to end up in a situation where the cached and local
+generated certs mismatch and cause issues with testing.
+
+To generate new certificates, run the following commands:
+
+```bash
+nix-build generate-certs.nix
+cp result/* .
+rm result
+```
author	Lucas Savva <lucas@m1cr0man.com>	2020-10-22 14:06:19 +0100
committer	Lucas Savva <lucas@m1cr0man.com>	2020-10-22 14:06:19 +0100
commit	dad06fb922cbfcd00bae255d3fec9d70138e419b (patch)
tree	d312d96b5d7c738e43678a426b5f8322bae3bd0d /nixos/tests/common/acme/server/README.md
parent	89d134b3fdcbc4412f5d7cc4e391747b3f578b32 (diff)