pyrox.dev / nixpkgs
lol
fork atom

nixos/acme: Check for revoked certificates

Closes #129838

It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794

Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves #147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.

Lucas Savva a7f00013 87403a0b

options
unified split
Changed files
+32 -15
nixos
modules
security
acme.nix
tests
acme.nix
+11 -14
nixos/modules/security/acme.nix 
···

       
156

       
156

       
 

       
      ${toString data.ocspMustStaple} ${data.keyType}


     

       
157

       
157

       
 

       
    '';


     

       
158

       
158

       
 

       
    certDir = mkHash hashData;


     

       

       
159

       
+

       
    # TODO remove domainHash usage entirely. Waiting on go-acme/lego#1532


     

       
159

       
160

       
 

       
    domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";


     

       
160

       
161

       
 

       
    accountHash = (mkAccountHash acmeServer data);


     

       
161

       
162

       
 

       
    accountDir = accountDirRoot + accountHash;


     
···

       
372

       
373

       
 

       



     

       
373

       
374

       
 

       
        echo '${domainHash}' > domainhash.txt


     

       
374

       
375

       
 

       



     

       
375

       

       
-

       
        # Check if we can renew


     

       
376

       

       
-

       
        if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then


     

       

       
376

       
+

       
        # Check if we can renew.


     

       

       
377

       
+

       
        # We can only renew if the list of domains has not changed.


     

       

       
378

       
+

       
        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then


     

       
377

       
379

       
 

       



     

       
378

       

       
-

       
          # When domains are updated, there's no need to do a full


     

       
379

       

       
-

       
          # Lego run, but it's likely renew won't work if days is too low.


     

       
380

       

       
-

       
          if [ -e certificates/domainhash.txt ] && cmp -s domainhash.txt certificates/domainhash.txt; then


     

       

       
380

       
+

       
          # Even if a cert is not expired, it may be revoked by the CA.


     

       

       
381

       
+

       
          # Try to renew, and silently fail if the cert is not expired.


     

       

       
382

       
+

       
          # Avoids #85794 and resolves #129838


     

       

       
383

       
+

       
          if ! lego ${renewOpts} --days ${toString cfg.validMinDays}; then


     

       
381

       
384

       
 

       
            if is_expiration_skippable out/full.pem; then


     

       
382

       

       
-

       
              echo 1>&2 "nixos-acme: skipping renewal because expiration isn't within the coming ${toString cfg.validMinDays} days"


     

       

       
385

       
+

       
              echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString cfg.validMinDays} days"


     

       
383

       
386

       
 

       
            else


     

       
384

       

       
-

       
              echo 1>&2 "nixos-acme: renewing now, because certificate expires within the configured ${toString cfg.validMinDays} days"


     

       
385

       

       
-

       
              lego ${renewOpts} --days ${toString cfg.validMinDays}


     

       

       
387

       
+

       
              exit 3


     

       
386

       
388

       
 

       
            fi


     

       
387

       

       
-

       
          else


     

       
388

       

       
-

       
            echo 1>&2 "certificate domain(s) have changed; will renew now"


     

       
389

       

       
-

       
            # Any number > 90 works, but this one is over 9000 ;-)


     

       
390

       

       
-

       
            lego ${renewOpts} --days 9001


     

       
391

       
389

       
 

       
          fi


     

       
392

       
390

       
 

       



     

       
393

       
391

       
 

       
        # Otherwise do a full run


     
···

       
406

       
404

       
 

       
        chown 'acme:${data.group}' certificates/*


     

       
407

       
405

       
 

       



     

       
408

       
406

       
 

       
        # Copy all certs to the "real" certs directory


     

       
409

       

       
-

       
        CERT='certificates/${keyName}.crt'


     

       
410

       

       
-

       
        if [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem; then


     

       

       
407

       
+

       
        if ! cmp -s 'certificates/${keyName}.crt' out/fullchain.pem; then


     

       
411

       
408

       
 

       
          touch out/renewed


     

       
412

       
409

       
 

       
          echo Installing new certificate


     

       
413

       
410

       
 

       
          cp -vp 'certificates/${keyName}.crt' out/fullchain.pem
+21 -1
nixos/tests/acme.nix 
···

       
113

       
113

       
 

       



     

       
114

       
114

       
 

       
      # Now adding an alias to ensure that the certs are updated


     

       
115

       
115

       
 

       
      specialisation.nginx-aliases.configuration = { pkgs, ... }: {


     

       
116

       

       
-

       
        services.nginx.virtualHosts."a.example.test" = {


     

       

       
116

       
+

       
        services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // {


     

       
117

       
117

       
 

       
          serverAliases = [ "b.example.test" ];


     

       

       
118

       
+

       
        };


     

       

       
119

       
+

       
      };


     

       

       
120

       
+

       



     

       

       
121

       
+

       
      # Must be run after nginx-aliases


     

       

       
122

       
+

       
      specialisation.remove-extra-domain.configuration = { pkgs, ... } : {


     

       

       
123

       
+

       
        # This also validates that useACMEHost doesn't unexpectedly add the domain.


     

       

       
124

       
+

       
        services.nginx.virtualHosts."b.example.test" = (vhostBase pkgs) // {


     

       

       
125

       
+

       
          useACMEHost = "a.example.test";


     

       
118

       
126

       
 

       
        };


     

       
119

       
127

       
 

       
      };


     

       
120

       
128

       
 

       



     
···

       
407

       
415

       
 

       
          check_issuer(webserver, "a.example.test", "pebble")


     

       
408

       
416

       
 

       
          check_connection(client, "a.example.test")


     

       
409

       
417

       
 

       
          check_connection(client, "b.example.test")


     

       

       
418

       
+

       



     

       

       
419

       
+

       
      with subtest("Can remove extra domains from a cert"):


     

       

       
420

       
+

       
          switch_to(webserver, "remove-extra-domain")


     

       

       
421

       
+

       
          webserver.wait_for_unit("acme-finished-a.example.test.target")


     

       

       
422

       
+

       
          webserver.wait_for_unit("nginx.service")


     

       

       
423

       
+

       
          check_connection(client, "a.example.test")


     

       

       
424

       
+

       
          rc, _ = client.execute(


     

       

       
425

       
+

       
              "openssl s_client -CAfile /tmp/ca.crt -connect b.example.test:443"


     

       

       
426

       
+

       
              " </dev/null 2>/dev/null | openssl x509 -noout -text"


     

       

       
427

       
+

       
              " | grep DNS: | grep b.example.test"


     

       

       
428

       
+

       
          )


     

       

       
429

       
+

       
          assert rc > 0, "Removed extraDomainName was not removed from the cert"


     

       
410

       
430

       
 

       



     

       
411

       
431

       
 

       
      with subtest("Can request certificates for vhost + aliases (apache-httpd)"):


     

       
412

       
432

       
 

       
          try: