Merge pull request #72007 from NinjaTrappeur/nin-acme-custom-dir-uri
nixos/acme: Custom ACME endpoint
This commit is contained in:
Florian Klink
GitHub
commit
992035cff0
4 changed files with 37 additions and 53 deletions
|
|
@ -20,6 +20,16 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
ACME Directory Resource URI. Defaults to let's encrypt
|
||||
production endpoint,
|
||||
https://acme-v02.api.letsencrypt.org/directory, if unset.
|
||||
'';
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = name;
|
||||
|
|
@ -109,7 +119,15 @@ in
|
|||
{
|
||||
|
||||
###### interface
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
|
||||
Use security.acme.server to define your staging ACME server URL instead.
|
||||
|
||||
To use the let's encrypt staging server, use security.acme.server =
|
||||
"https://acme-staging-v02.api.letsencrypt.org/directory".
|
||||
''
|
||||
)
|
||||
];
|
||||
options = {
|
||||
security.acme = {
|
||||
|
||||
|
|
@ -129,6 +147,16 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
ACME Directory Resource URI. Defaults to let's encrypt
|
||||
production endpoint,
|
||||
<literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
|
||||
'';
|
||||
};
|
||||
|
||||
preliminarySelfsigned = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
|
|
@ -142,20 +170,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
production = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If set to true, use Let's Encrypt's production environment
|
||||
instead of the staging environment. The main benefit of the
|
||||
staging environment is to get much higher rate limits.
|
||||
|
||||
See
|
||||
<literal>https://letsencrypt.org/docs/staging-environment</literal>
|
||||
for more detail.
|
||||
'';
|
||||
};
|
||||
|
||||
certs = mkOption {
|
||||
default = { };
|
||||
type = with types; attrsOf (submodule certOpts);
|
||||
|
|
@ -198,7 +212,7 @@ in
|
|||
++ optionals (data.email != null) [ "--email" data.email ]
|
||||
++ concatMap (p: [ "-f" p ]) data.plugins
|
||||
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
|
||||
++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"];
|
||||
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
|
||||
acmeService = {
|
||||
description = "Renew ACME Certificate for ${cert}";
|
||||
after = [ "network.target" "network-online.target" ];
|
||||
|
|
|
|||
|
|
@ -12,8 +12,11 @@ in import ./make-test.nix {
|
|||
networking.extraHosts = ''
|
||||
${config.networking.primaryIPAddress} standalone.com
|
||||
'';
|
||||
security.acme.certs."standalone.com" = {
|
||||
webroot = "/var/lib/acme/acme-challenges";
|
||||
security.acme = {
|
||||
server = "https://acme-v02.api.letsencrypt.org/dir";
|
||||
certs."standalone.com" = {
|
||||
webroot = "/var/lib/acme/acme-challenges";
|
||||
};
|
||||
};
|
||||
systemd.targets."acme-finished-standalone.com" = {};
|
||||
systemd.services."acme-standalone.com" = {
|
||||
|
|
@ -54,6 +57,8 @@ in import ./make-test.nix {
|
|||
'';
|
||||
};
|
||||
|
||||
security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";
|
||||
|
||||
nesting.clone = [
|
||||
({pkgs, ...}: {
|
||||
|
||||
|
|
|
|||
|
|
@ -1,25 +0,0 @@
|
|||
From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
|
||||
Date: Mon, 21 Oct 2019 10:56:13 +0200
|
||||
Subject: [PATCH] Change ACME directory endpoint to /directory
|
||||
|
||||
---
|
||||
wfe/wfe.go | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/wfe/wfe.go b/wfe/wfe.go
|
||||
index e24797f..10d29fb 100644
|
||||
--- a/wfe/wfe.go
|
||||
+++ b/wfe/wfe.go
|
||||
@@ -39,7 +39,7 @@ const (
|
||||
// Note: We deliberately pick endpoint paths that differ from Boulder to
|
||||
// exercise clients processing of the /directory response
|
||||
// We export the DirectoryPath so that the pebble binary can reference it
|
||||
- DirectoryPath = "/dir"
|
||||
+ DirectoryPath = "/directory"
|
||||
noncePath = "/nonce-plz"
|
||||
newAccountPath = "/sign-me-up"
|
||||
acctPath = "/my-account/"
|
||||
--
|
||||
2.23.0
|
||||
|
||||
|
|
@ -62,17 +62,7 @@ let
|
|||
siteDomain = "letsencrypt.org";
|
||||
siteCertFile = snakeOilCerts.${siteDomain}.cert;
|
||||
siteKeyFile = snakeOilCerts.${siteDomain}.key;
|
||||
pebble = pkgs.pebble.overrideAttrs (attrs: {
|
||||
# The pebble directory endpoint is /dir when the bouder (official
|
||||
# ACME server) is /directory. Sadly, this endpoint is hardcoded,
|
||||
# we have to patch it.
|
||||
#
|
||||
# Tried to upstream, that said upstream maintainers rather keep
|
||||
# this custom endpoint to test ACME clients robustness. See
|
||||
# https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242
|
||||
patches = [ ./0001-Change-ACME-directory-endpoint-to-directory.patch ];
|
||||
});
|
||||
|
||||
pebble = pkgs.pebble;
|
||||
resolver = let
|
||||
message = "You need to define a resolver for the letsencrypt test module.";
|
||||
firstNS = lib.head config.networking.nameservers;
|
||||
|
|
|
|||
Loading…
Reference in a new issue