Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: f9b717e5c00f
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: dc84a7d4e3aa
Choose a head ref
  • 6 commits
  • 13 files changed
  • 3 contributors

Commits on Oct 20, 2019

  1. boulder: init at release-2019-10-13

    @adisbladis @flokli
    adisbladis authored and flokli committed Oct 20, 2019
    Copy the full SHA
    77a4c15 View commit details

  2. simp_le: 0.9.0 -> 0.16.0

    @picnoir @flokli
    picnoir authored and flokli committed Oct 20, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    GPG key ID: B5690EEEBB952194
    Verified
    Learn about vigilant mode
    Copy the full SHA
    071d181 View commit details

Commits on Oct 23, 2019

  1. pebble: init at 2.2.2

    @picnoir
    picnoir committed Oct 23, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    GPG key ID: B5690EEEBB952194
    Verified
    Learn about vigilant mode
    Copy the full SHA
    6ac0e34 View commit details

  2. certbot: 0.31.0 -> 0.39.0 

    Updating:

- nixos module to use the new `account_reg.json` file.
- use nixpkgs pebble for integration tests.

Co-authored-by: Florian Klink <flokli@flokli.de>

Replace certbot-embedded pebble
    @picnoir
    picnoir committed Oct 23, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    GPG key ID: B5690EEEBB952194
    Verified
    Learn about vigilant mode
    Copy the full SHA
    38e8415 View commit details

  3. nixos/tests/letsencrypt: use Pebble instead of Boulder 

    Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.

We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.

- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched

TODO: write proper commit msg :)
    @picnoir @flokli
    picnoir authored and flokli committed Oct 23, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    GPG key ID: B5690EEEBB952194
    Verified
    Learn about vigilant mode
    Copy the full SHA
    0c0af28 View commit details

Commits on Oct 24, 2019

  1. Merge pull request #71291 from NinjaTrappeur/nin-update-acme 

    simp_le: 0.9.0 -> 0.16.0
    @flokli
    flokli authored Oct 24, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    GPG key ID: B5690EEEBB952194
    Verified
    Learn about vigilant mode
    Copy the full SHA
    dc84a7d View commit details
9 changes: 7 additions & 2 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -69,9 +69,9 @@ let
plugins = mkOption {
type = types.listOf (types.enum [
"cert.der" "cert.pem" "chain.pem" "external.sh"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json"
]);
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ];
description = ''
Plugins to enable. With default settings simp_le will
store public certificate bundle in <filename>fullchain.pem</filename>,
@@ -203,6 +203,11 @@ in
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
# simp_le uses requests, which uses certifi under the hood,
# which doesn't respect the system trust store.
# At least in the acme test, we provision a fake CA, impersonating the LE endpoint.
# REQUESTS_CA_BUNDLE is a way to teach python requests to use something else
environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
serviceConfig = {
Type = "oneshot";
SuccessExitStatus = [ "0" "1" ];
18 changes: 13 additions & 5 deletions nixos/tests/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -80,7 +80,7 @@ in import ./make-test.nix {
client = commonConfig;
};

testScript = {nodes, ...}:
testScript = {nodes, ...}:
let
newServerSystem = nodes.webserver2.config.system.build.toplevel;
switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
@@ -91,25 +91,33 @@ in import ./make-test.nix {
# get pulled in by the oneshot units. The target units linger after activation, and hence we
# can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
''
$client->waitForUnit("default.target");
$client->start;
$letsencrypt->start;
$acmeStandalone->start;
$letsencrypt->waitForUnit("default.target");
$letsencrypt->waitForUnit("boulder.service");
$letsencrypt->waitForUnit("pebble.service");
subtest "can request certificate with HTTPS-01 challenge", sub {
$acmeStandalone->waitForUnit("default.target");
$acmeStandalone->succeed("systemctl start acme-standalone.com.service");
$acmeStandalone->waitForUnit("acme-finished-standalone.com.target");
};
$client->waitForUnit("default.target");
$client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt');
$client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt');
subtest "Can request certificate for nginx service", sub {
$webserver->waitForUnit("acme-finished-a.example.com.target");
$client->succeed('curl https://a.example.com/ | grep -qF "hello world"');
$client->succeed('curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF "hello world"');
};
subtest "Can add another certificate for nginx service", sub {
$webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test");
$webserver->waitForUnit("acme-finished-b.example.com.target");
$client->succeed('curl https://b.example.com/ | grep -qF "hello world"');
$client->succeed('curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF "hello world"');
};
'';
}
25 changes: 25 additions & 0 deletions nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
Date: Mon, 21 Oct 2019 10:56:13 +0200
Subject: [PATCH] Change ACME directory endpoint to /directory

---
wfe/wfe.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wfe/wfe.go b/wfe/wfe.go
index e24797f..10d29fb 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -39,7 +39,7 @@ const (
// Note: We deliberately pick endpoint paths that differ from Boulder to
// exercise clients processing of the /directory response
// We export the DirectoryPath so that the pebble binary can reference it
- DirectoryPath = "/dir"
+ DirectoryPath = "/directory"
noncePath = "/nonce-plz"
newAccountPath = "/sign-me-up"
acctPath = "/my-account/"
--
2.23.0

26 changes: 4 additions & 22 deletions nixos/tests/common/letsencrypt/common.nix
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,9 @@
{ lib, nodes, ... }: {
{ lib, nodes, pkgs, ... }: let
letsencrypt-ca = nodes.letsencrypt.config.test-support.letsencrypt.caCert;
in {
networking.nameservers = [
nodes.letsencrypt.config.networking.primaryIPAddress
];

nixpkgs.overlays = lib.singleton (self: super: {
cacert = super.cacert.overrideDerivation (drv: {
installPhase = (drv.installPhase or "") + ''
cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \
>> "$out/etc/ssl/certs/ca-bundle.crt"
'';
});

# Override certifi so that it accepts fake certificate for Let's Encrypt
# Need to override the attribute used by simp_le, which is python3Packages
python3Packages = (super.python3.override {
packageOverrides = lib.const (pysuper: {
certifi = pysuper.certifi.overridePythonAttrs (attrs: {
postPatch = (attrs.postPatch or "") + ''
cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \
> certifi/cacert.pem
'';
});
});
}).pkgs;
});
security.pki.certificateFiles = [ letsencrypt-ca ];
}
Loading