pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #99912 from m1cr0man/ocspfix

nixos/acme: Fix ocspMustStaple option and add test

Florian Klink a1cb0214 cddb921a

options
unified split
Changed files
+43 -5
nixos
modules
security
acme.nix
tests
acme.nix
common
acme
server
default.nix
+4 -1
nixos/modules/security/acme.nix 
···

       
122

       
122

       
 

       
      "--email" data.email


     

       
123

       
123

       
 

       
      "--key-type" data.keyType


     

       
124

       
124

       
 

       
    ] ++ protocolOpts


     

       
125

       

       
-

       
      ++ optionals data.ocspMustStaple [ "--must-staple" ]


     

       
126

       
125

       
 

       
      ++ optionals (acmeServer != null) [ "--server" acmeServer ]


     

       
127

       
126

       
 

       
      ++ concatMap (name: [ "-d" name ]) extraDomains


     

       
128

       
127

       
 

       
      ++ data.extraLegoFlags;


     

       
129

       
128

       
 

       



     

       

       
129

       
+

       
    # Although --must-staple is common to both modes, it is not declared as a


     

       

       
130

       
+

       
    # mode-agnostic argument in lego and thus must come after the mode.


     

       
130

       
131

       
 

       
    runOpts = escapeShellArgs (


     

       
131

       
132

       
 

       
      commonOpts


     

       
132

       
133

       
 

       
      ++ [ "run" ]


     

       

       
134

       
+

       
      ++ optionals data.ocspMustStaple [ "--must-staple" ]


     

       
133

       
135

       
 

       
      ++ data.extraLegoRunFlags


     

       
134

       
136

       
 

       
    );


     

       
135

       
137

       
 

       
    renewOpts = escapeShellArgs (


     

       
136

       
138

       
 

       
      commonOpts


     

       
137

       
139

       
 

       
      ++ [ "renew" "--reuse-key" ]


     

       

       
140

       
+

       
      ++ optionals data.ocspMustStaple [ "--must-staple" ]


     

       
138

       
141

       
 

       
      ++ data.extraLegoRenewFlags


     

       
139

       
142

       
 

       
    );


     

       
140

       
143
+38 -3
nixos/tests/acme.nix 
···

       
97

       
97

       
 

       
        };


     

       
98

       
98

       
 

       
      };


     

       
99

       
99

       
 

       



     

       

       
100

       
+

       
      # Test OCSP Stapling


     

       

       
101

       
+

       
      specialisation.ocsp-stapling.configuration = { pkgs, ... }: {


     

       

       
102

       
+

       
        security.acme.certs."a.example.test" = {


     

       

       
103

       
+

       
          ocspMustStaple = true;


     

       

       
104

       
+

       
        };


     

       

       
105

       
+

       
        services.nginx.virtualHosts."a.example.com" = {


     

       

       
106

       
+

       
          extraConfig = ''


     

       

       
107

       
+

       
            ssl_stapling on;


     

       

       
108

       
+

       
            ssl_stapling_verify on;


     

       

       
109

       
+

       
          '';


     

       

       
110

       
+

       
        };


     

       

       
111

       
+

       
      };


     

       

       
112

       
+

       



     

       
100

       
113

       
 

       
      # Test using Apache HTTPD


     

       
101

       
114

       
 

       
      specialisation.httpd-aliases.configuration = { pkgs, config, lib, ... }: {


     

       
102

       
115

       
 

       
        services.nginx.enable = lib.mkForce false;


     
···

       
163

       
176

       
 

       



     

       
164

       
177

       
 

       
  testScript = {nodes, ...}:


     

       
165

       
178

       
 

       
    let


     

       

       
179

       
+

       
      caDomain = nodes.acme.config.test-support.acme.caDomain;


     

       
166

       
180

       
 

       
      newServerSystem = nodes.webserver.config.system.build.toplevel;


     

       
167

       
181

       
 

       
      switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";


     

       
168

       
182

       
 

       
    in


     
···

       
246

       
260

       
 

       
              return check_connection_key_bits(node, domain, bits, retries - 1)


     

       
247

       
261

       
 

       



     

       
248

       
262

       
 

       



     

       

       
263

       
+

       
      def check_stapling(node, domain, retries=3):


     

       

       
264

       
+

       
          assert retries >= 0


     

       

       
265

       
+

       



     

       

       
266

       
+

       
          # Pebble doesn't provide a full OCSP responder, so just check the URL


     

       

       
267

       
+

       
          result = node.succeed(


     

       

       
268

       
+

       
              "openssl s_client -CAfile /tmp/ca.crt"


     

       

       
269

       
+

       
              f" -servername {domain} -connect {domain}:443 < /dev/null"


     

       

       
270

       
+

       
              " | openssl x509 -noout -ocsp_uri"


     

       

       
271

       
+

       
          )


     

       

       
272

       
+

       
          print("OCSP Responder URL:", result)


     

       

       
273

       
+

       



     

       

       
274

       
+

       
          if "${caDomain}:4002" not in result.lower():


     

       

       
275

       
+

       
              time.sleep(1)


     

       

       
276

       
+

       
              return check_stapling(node, domain, retries - 1)


     

       

       
277

       
+

       



     

       

       
278

       
+

       



     

       
249

       
279

       
 

       
      client.start()


     

       
250

       
280

       
 

       
      dnsserver.start()


     

       
251

       
281

       
 

       



     
···

       
253

       
283

       
 

       
      client.wait_for_unit("default.target")


     

       
254

       
284

       
 

       



     

       
255

       
285

       
 

       
      client.succeed(


     

       
256

       

       
-

       
          'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'


     

       

       
286

       
+

       
          'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'


     

       
257

       
287

       
 

       
      )


     

       
258

       
288

       
 

       



     

       
259

       
289

       
 

       
      acme.start()


     
···

       
262

       
292

       
 

       
      acme.wait_for_unit("default.target")


     

       
263

       
293

       
 

       
      acme.wait_for_unit("pebble.service")


     

       
264

       
294

       
 

       



     

       
265

       

       
-

       
      client.succeed("curl https://acme.test:15000/roots/0 > /tmp/ca.crt")


     

       
266

       

       
-

       
      client.succeed("curl https://acme.test:15000/intermediate-keys/0 >> /tmp/ca.crt")


     

       

       
295

       
+

       
      client.succeed("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt")


     

       

       
296

       
+

       
      client.succeed("curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt")


     

       
267

       
297

       
 

       



     

       
268

       
298

       
 

       
      with subtest("Can request certificate with HTTPS-01 challenge"):


     

       
269

       
299

       
 

       
          webserver.wait_for_unit("acme-finished-a.example.test.target")


     
···

       
289

       
319

       
 

       
          webserver.wait_for_unit("acme-finished-a.example.test.target")


     

       
290

       
320

       
 

       
          check_connection_key_bits(client, "a.example.test", "384")


     

       
291

       
321

       
 

       
          webserver.succeed("grep testing /var/lib/acme/a.example.test/test")


     

       

       
322

       
+

       



     

       

       
323

       
+

       
      with subtest("Correctly implements OCSP stapling"):


     

       

       
324

       
+

       
          switch_to(webserver, "ocsp-stapling")


     

       

       
325

       
+

       
          webserver.wait_for_unit("acme-finished-a.example.test.target")


     

       

       
326

       
+

       
          check_stapling(client, "a.example.test")


     

       
292

       
327

       
 

       



     

       
293

       
328

       
 

       
      with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):


     

       
294

       
329

       
 

       
          switch_to(webserver, "slow-startup")
+1 -1
nixos/tests/common/acme/server/default.nix 
···

       
70

       
70

       
 

       
    privateKey = testCerts.${domain}.key;


     

       
71

       
71

       
 

       
    httpPort = 80;


     

       
72

       
72

       
 

       
    tlsPort = 443;


     

       
73

       

       
-

       
    ocspResponderURL = "http://0.0.0.0:4002";


     

       

       
73

       
+

       
    ocspResponderURL = "http://${domain}:4002";


     

       
74

       
74

       
 

       
    strict = true;


     

       
75

       
75

       
 

       
  };


     

       
76

       
76