pyrox.dev / nixpkgs
lol
fork atom

nixos/acme: Make account creds check more robust

Fixes #190493

Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.

Lucas Savva 657ecbca 39796cad

options
unified split
Changed files
+56 -11
nixos
modules
security
acme
default.nix
tests
acme.nix
common
acme
client
default.nix
+2 -1
nixos/modules/security/acme/default.nix 
···

       
377

       
377

       
 

       



     

       
378

       
378

       
 

       
        # Check if we can renew.


     

       
379

       
379

       
 

       
        # We can only renew if the list of domains has not changed.


     

       
380

       

       
-

       
        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then


     

       

       
380

       
+

       
        # We also need an account key. Avoids #190493


     

       

       
381

       
+

       
        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(find accounts -name '${data.email}.key')" ]; then


     

       
381

       
382

       
 

       



     

       
382

       
383

       
 

       
          # Even if a cert is not expired, it may be revoked by the CA.


     

       
383

       
384

       
 

       
          # Try to renew, and silently fail if the cert is not expired.
+49 -10
nixos/tests/acme.nix 
···

       
41

       
41

       
 

       
    inherit documentRoot;


     

       
42

       
42

       
 

       
  };


     

       
43

       
43

       
 

       



     

       

       
44

       
+

       
  simpleConfig = {


     

       

       
45

       
+

       
    security.acme = {


     

       

       
46

       
+

       
      certs."http.example.test" = {


     

       

       
47

       
+

       
        listenHTTP = ":80";


     

       

       
48

       
+

       
      };


     

       

       
49

       
+

       
    };


     

       

       
50

       
+

       



     

       

       
51

       
+

       
    networking.firewall.allowedTCPPorts = [ 80 ];


     

       

       
52

       
+

       
  };


     

       

       
53

       
+

       



     

       
44

       
54

       
 

       
  # Base specialisation config for testing general ACME features


     

       
45

       
55

       
 

       
  webserverBasicConfig = {


     

       
46

       
56

       
 

       
    services.nginx.enable = true;


     
···

       
174

       
184

       
 

       



     

       
175

       
185

       
 

       
      specialisation = {


     

       
176

       
186

       
 

       
        # Tests HTTP-01 verification using Lego's built-in web server


     

       
177

       

       
-

       
        http01lego.configuration = { ... }: {


     

       
178

       

       
-

       
          security.acme = {


     

       
179

       

       
-

       
            certs."http.example.test" = {


     

       
180

       

       
-

       
              listenHTTP = ":80";


     

       
181

       

       
-

       
            };


     

       
182

       

       
-

       
          };


     

       

       
187

       
+

       
        http01lego.configuration = simpleConfig;


     

       

       
188

       
+

       



     

       

       
189

       
+

       
        renew.configuration = lib.mkMerge [


     

       

       
190

       
+

       
          simpleConfig


     

       

       
191

       
+

       
          {


     

       

       
192

       
+

       
            # Pebble provides 5 year long certs,


     

       

       
193

       
+

       
            # needs to be higher than that to test renewal


     

       

       
194

       
+

       
            security.acme.certs."http.example.test".validMinDays = 9999;


     

       

       
195

       
+

       
          }


     

       

       
196

       
+

       
        ];


     

       
183

       
197

       
 

       



     

       
184

       

       
-

       
          networking.firewall.allowedTCPPorts = [ 80 ];


     

       
185

       

       
-

       
        };


     

       

       
198

       
+

       
        # Tests that account creds can be safely changed.


     

       

       
199

       
+

       
        accountchange.configuration = lib.mkMerge [


     

       

       
200

       
+

       
          simpleConfig


     

       

       
201

       
+

       
          {


     

       

       
202

       
+

       
            security.acme.certs."http.example.test".email = "admin@example.test";


     

       

       
203

       
+

       
          }


     

       

       
204

       
+

       
        ];


     

       
186

       
205

       
 

       



     

       
187

       
206

       
 

       
        # First derivation used to test general ACME features


     

       
188

       
207

       
 

       
        general.configuration = { ... }: let


     
···

       
458

       
477

       
 

       
      download_ca_certs(client)


     

       
459

       
478

       
 

       



     

       
460

       
479

       
 

       
      # Perform http-01 w/ lego test first


     

       
461

       

       
-

       
      switch_to(webserver, "http01lego")


     

       
462

       

       
-

       



     

       
463

       
480

       
 

       
      with subtest("Can request certificate with Lego's built in web server"):


     

       

       
481

       
+

       
          switch_to(webserver, "http01lego")


     

       
464

       
482

       
 

       
          webserver.wait_for_unit("acme-finished-http.example.test.target")


     

       
465

       
483

       
 

       
          check_fullchain(webserver, "http.example.test")


     

       
466

       
484

       
 

       
          check_issuer(webserver, "http.example.test", "pebble")


     

       

       
485

       
+

       



     

       

       
486

       
+

       
      # Perform renewal test


     

       

       
487

       
+

       
      with subtest("Can renew certificates when they expire"):


     

       

       
488

       
+

       
          hash = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem")


     

       

       
489

       
+

       
          switch_to(webserver, "renew")


     

       

       
490

       
+

       
          webserver.wait_for_unit("acme-finished-http.example.test.target")


     

       

       
491

       
+

       
          check_fullchain(webserver, "http.example.test")


     

       

       
492

       
+

       
          check_issuer(webserver, "http.example.test", "pebble")


     

       

       
493

       
+

       
          hash_after = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem")


     

       

       
494

       
+

       
          assert hash != hash_after


     

       

       
495

       
+

       



     

       

       
496

       
+

       
      # Perform account change test


     

       

       
497

       
+

       
      with subtest("Handles email change correctly"):


     

       

       
498

       
+

       
          hash = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem")


     

       

       
499

       
+

       
          switch_to(webserver, "accountchange")


     

       

       
500

       
+

       
          webserver.wait_for_unit("acme-finished-http.example.test.target")


     

       

       
501

       
+

       
          check_fullchain(webserver, "http.example.test")


     

       

       
502

       
+

       
          check_issuer(webserver, "http.example.test", "pebble")


     

       

       
503

       
+

       
          hash_after = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem")


     

       

       
504

       
+

       
          # Has to do a full run to register account, which creates new certs.


     

       

       
505

       
+

       
          assert hash != hash_after


     

       
467

       
506

       
 

       



     

       
468

       
507

       
 

       
      # Perform general tests


     

       
469

       
508

       
 

       
      switch_to(webserver, "general")
+5
nixos/tests/common/acme/client/default.nix 
···

       
9

       
9

       
 

       
    defaults = {


     

       
10

       
10

       
 

       
      server = "https://${caDomain}/dir";


     

       
11

       
11

       
 

       
      email = "hostmaster@example.test";


     

       

       
12

       
+

       
      # Avoid a random 0-8 minute sleep when testing renewals.


     

       

       
13

       
+

       
      # We are not using LE servers in testing so this is not


     

       

       
14

       
+

       
      # going to impact their load.


     

       

       
15

       
+

       
      # See https://github.com/go-acme/lego/issues/1656


     

       

       
16

       
+

       
      extraLegoRenewFlags = ["-no-random-sleep"];


     

       
12

       
17

       
 

       
    };


     

       
13

       
18

       
 

       
  };


     

       
14

       
19