commit e0e241c2199b4e536ea5450f3b0bf9285cc087a2 · pyrox.dev/nixpkgs

+10 -4

nixos/modules/security/acme.nix

···

       24
       24
        
             Type = "oneshot";

     

       25
       25
        
             User = "acme";

     

       26
       26
        
             Group = mkDefault "acme";

     

       27
       27
       -
             UMask = 0023;

     

       27
       27
       +
             UMask = 0022;

     

       28
       28
        
             StateDirectoryMode = 750;

     

       29
       29
        
             ProtectSystem = "full";

     

       30
       30
        
             PrivateTmp = true;

     
···

       303
       303
        
               }

     

       304
       304
        
       

     

       305
       305
        
               ${optionalString (data.webroot != null) ''

     

       306
       306
       -
                 # Ensure the webroot exists

     

       307
       307
       -
                 mkdir -p '${data.webroot}/.well-known/acme-challenge'

     

       308
       308
       -
                 chown 'acme:${data.group}' ${data.webroot}/{.well-known,.well-known/acme-challenge}

     

       306
       306
       +
                 # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.

     

       307
       307
       +
                 # Lego will fail if the webroot does not exist at all.

     

       308
       308
       +
                 (

     

       309
       309
       +
                   mkdir -p '${data.webroot}/.well-known/acme-challenge' \

     

       310
       310
       +
                   && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge

     

       311
       311
       +
                 ) || (

     

       312
       312
       +
                   echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \

     

       313
       313
       +
                   && exit 1

     

       314
       314
       +
                 )

     

       309
       315
        
               ''}

     

       310
       316
        
       

     

       311
       317
        
               echo '${domainHash}' > domainhash.txt

+44 -10

nixos/tests/acme.nix

···

       253
       253
        
       

     

       254
       254
        
       

     

       255
       255
        
             def check_connection(node, domain, retries=3):

     

       256
       256
       -
                 assert retries >= 0

     

       256
       256
       +
                 assert retries >= 0, f"Failed to connect to https://{domain}"

     

       257
       257
        
       

     

       258
       258
        
                 result = node.succeed(

     

       259
       259
        
                     "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt"

     
···

       262
       262
        
       

     

       263
       263
        
                 for line in result.lower().split("\n"):

     

       264
       264
        
                     if "verification" in line and "error" in line:

     

       265
       265
       -
                         time.sleep(1)

     

       265
       265
       +
                         time.sleep(3)

     

       266
       266
        
                         return check_connection(node, domain, retries - 1)

     

       267
       267
        
       

     

       268
       268
        
       

     

       269
       269
        
             def check_connection_key_bits(node, domain, bits, retries=3):

     

       270
       270
       -
                 assert retries >= 0

     

       270
       270
       +
                 assert retries >= 0, f"Did not find expected number of bits ({bits}) in key"

     

       271
       271
        
       

     

       272
       272
        
                 result = node.succeed(

     

       273
       273
        
                     "openssl s_client -CAfile /tmp/ca.crt"

     
···

       277
       277
        
                 print("Key type:", result)

     

       278
       278
        
       

     

       279
       279
        
                 if bits not in result:

     

       280
       280
       -
                     time.sleep(1)

     

       280
       280
       +
                     time.sleep(3)

     

       281
       281
        
                     return check_connection_key_bits(node, domain, bits, retries - 1)

     

       282
       282
        
       

     

       283
       283
        
       

     

       284
       284
        
             def check_stapling(node, domain, retries=3):

     

       285
       285
       -
                 assert retries >= 0

     

       285
       285
       +
                 assert retries >= 0, "OCSP Stapling check failed"

     

       286
       286
        
       

     

       287
       287
        
                 # Pebble doesn't provide a full OCSP responder, so just check the URL

     

       288
       288
        
                 result = node.succeed(

     
···

       293
       293
        
                 print("OCSP Responder URL:", result)

     

       294
       294
        
       

     

       295
       295
        
                 if "${caDomain}:4002" not in result.lower():

     

       296
       296
       -
                     time.sleep(1)

     

       296
       296
       +
                     time.sleep(3)

     

       297
       297
        
                     return check_stapling(node, domain, retries - 1)

     

       298
       298
        
       

     

       299
       299
        
       

     

       300
       300
       +
             def download_ca_certs(node, retries=5):

     

       301
       301
       +
                 assert retries >= 0, "Failed to connect to pebble to download root CA certs"

     

       302
       302
       +
       

     

       303
       303
       +
                 exit_code, _ = node.execute("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt")

     

       304
       304
       +
                 exit_code_2, _ = node.execute(

     

       305
       305
       +
                     "curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt"

     

       306
       306
       +
                 )

     

       307
       307
       +
       

     

       308
       308
       +
                 if exit_code + exit_code_2 > 0:

     

       309
       309
       +
                     time.sleep(3)

     

       310
       310
       +
                     return download_ca_certs(node, retries - 1)

     

       311
       311
       +
       

     

       312
       312
       +
       

     

       300
       313
        
             client.start()

     

       301
       314
        
             dnsserver.start()

     

       302
       315
        
       

     
···

       313
       326
        
             acme.wait_for_unit("network-online.target")

     

       314
       327
        
             acme.wait_for_unit("pebble.service")

     

       315
       328
        
       

     

       316
       316
       -
             client.succeed("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt")

     

       317
       317
       -
             client.succeed("curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt")

     

       329
       329
       +
             download_ca_certs(client)

     

       318
       330
        
       

     

       319
       331
        
             with subtest("Can request certificate with HTTPS-01 challenge"):

     

       320
       332
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       321
       333
        
                 check_fullchain(webserver, "a.example.test")

     

       322
       334
        
                 check_issuer(webserver, "a.example.test", "pebble")

     

       323
       335
        
                 check_connection(client, "a.example.test")

     

       336
       336
       +
       

     

       337
       337
       +
             with subtest("Certificates and accounts have safe + valid permissions"):

     

       338
       338
       +
                 group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"

     

       339
       339
       +
                 webserver.succeed(

     

       340
       340
       +
                     f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       341
       341
       +
                 )

     

       342
       342
       +
                 webserver.succeed(

     

       343
       343
       +
                     f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       344
       344
       +
                 )

     

       345
       345
       +
                 webserver.succeed(

     

       346
       346
       +
                     f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"

     

       347
       347
       +
                 )

     

       348
       348
       +
                 webserver.succeed(

     

       349
       349
       +
                     f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"

     

       350
       350
       +
                 )

     

       324
       351
        
       

     

       325
       352
        
             with subtest("Can generate valid selfsigned certs"):

     

       326
       353
        
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     
···

       375
       402
        
                 assert keyhash_old == keyhash_new

     

       376
       403
        
       

     

       377
       404
        
             with subtest("Can request certificates for vhost + aliases (apache-httpd)"):

     

       378
       378
       -
                 switch_to(webserver, "httpd-aliases")

     

       379
       379
       -
                 webserver.wait_for_unit("acme-finished-c.example.test.target")

     

       405
       405
       +
                 try:

     

       406
       406
       +
                     switch_to(webserver, "httpd-aliases")

     

       407
       407
       +
                     webserver.wait_for_unit("acme-finished-c.example.test.target")

     

       408
       408
       +
                 except Exception as err:

     

       409
       409
       +
                     _, output = webserver.execute(

     

       410
       410
       +
                         "cat /var/log/httpd/*.log && ls -al /var/lib/acme/acme-challenge"

     

       411
       411
       +
                     )

     

       412
       412
       +
                     print(output)

     

       413
       413
       +
                     raise err

     

       380
       414
        
                 check_issuer(webserver, "c.example.test", "pebble")

     

       381
       415
        
                 check_connection(client, "c.example.test")

     

       382
       416
        
                 check_connection(client, "d.example.test")