Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: ef1598a6a11a
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 6aab37bf930c
Choose a head ref
  • 5 commits
  • 12 files changed
  • 2 contributors

Commits on Oct 24, 2019

  1. simp_le: 0.9.0 -> 0.16.0 

    (cherry picked from commit 071d181)
    @picnoir
    picnoir committed Oct 24, 2019
    Copy the full SHA
    71ef17b View commit details

  2. pebble: init at 2.2.2 

    (cherry picked from commit 6ac0e34)
    @picnoir
    picnoir committed Oct 24, 2019
    Copy the full SHA
    305030f View commit details

  3. certbot: 0.31.0 -> 0.39.0 

    Updating:

- nixos module to use the new `account_reg.json` file.
- use nixpkgs pebble for integration tests.

Co-authored-by: Florian Klink <flokli@flokli.de>

Replace certbot-embedded pebble

(cherry picked from commit 38e8415)
    @picnoir
    picnoir committed Oct 24, 2019
    Copy the full SHA
    353333e View commit details

  4. nixos/tests/letsencrypt: use Pebble instead of Boulder 

    Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.

We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.

- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched

(cherry picked from commit 0c0af28)
    @picnoir
    picnoir committed Oct 24, 2019
    Copy the full SHA
    f4b14ce View commit details

Commits on Oct 25, 2019

  1. Merge pull request #71953 from NinjaTrappeur/nin-backport-acme 

    Backporting ACME v2 fix (#71291) to 19.09
    @flokli
    flokli authored Oct 25, 2019
    Copy the full SHA
    6aab37b View commit details
9 changes: 7 additions & 2 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -69,9 +69,9 @@ let
plugins = mkOption {
type = types.listOf (types.enum [
"cert.der" "cert.pem" "chain.pem" "external.sh"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json"
]);
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ];
description = ''
Plugins to enable. With default settings simp_le will
store public certificate bundle in <filename>fullchain.pem</filename>,
@@ -203,6 +203,11 @@ in
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
# simp_le uses requests, which uses certifi under the hood,
# which doesn't respect the system trust store.
# At least in the acme test, we provision a fake CA, impersonating the LE endpoint.
# REQUESTS_CA_BUNDLE is a way to teach python requests to use something else
environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
serviceConfig = {
Type = "oneshot";
SuccessExitStatus = [ "0" "1" ];
18 changes: 13 additions & 5 deletions nixos/tests/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -80,7 +80,7 @@ in import ./make-test.nix {
client = commonConfig;
};

testScript = {nodes, ...}:
testScript = {nodes, ...}:
let
newServerSystem = nodes.webserver2.config.system.build.toplevel;
switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
@@ -91,25 +91,33 @@ in import ./make-test.nix {
# get pulled in by the oneshot units. The target units linger after activation, and hence we
# can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
''
$client->waitForUnit("default.target");
$client->start;
$letsencrypt->start;
$acmeStandalone->start;
$letsencrypt->waitForUnit("default.target");
$letsencrypt->waitForUnit("boulder.service");
$letsencrypt->waitForUnit("pebble.service");
subtest "can request certificate with HTTPS-01 challenge", sub {
$acmeStandalone->waitForUnit("default.target");
$acmeStandalone->succeed("systemctl start acme-standalone.com.service");
$acmeStandalone->waitForUnit("acme-finished-standalone.com.target");
};
$client->waitForUnit("default.target");
$client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt');
$client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt');
subtest "Can request certificate for nginx service", sub {
$webserver->waitForUnit("acme-finished-a.example.com.target");
$client->succeed('curl https://a.example.com/ | grep -qF "hello world"');
$client->succeed('curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF "hello world"');
};
subtest "Can add another certificate for nginx service", sub {
$webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test");
$webserver->waitForUnit("acme-finished-b.example.com.target");
$client->succeed('curl https://b.example.com/ | grep -qF "hello world"');
$client->succeed('curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF "hello world"');
};
'';
}
25 changes: 25 additions & 0 deletions nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
Date: Mon, 21 Oct 2019 10:56:13 +0200
Subject: [PATCH] Change ACME directory endpoint to /directory

---
wfe/wfe.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wfe/wfe.go b/wfe/wfe.go
index e24797f..10d29fb 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -39,7 +39,7 @@ const (
// Note: We deliberately pick endpoint paths that differ from Boulder to
// exercise clients processing of the /directory response
// We export the DirectoryPath so that the pebble binary can reference it
- DirectoryPath = "/dir"
+ DirectoryPath = "/directory"
noncePath = "/nonce-plz"
newAccountPath = "/sign-me-up"
acctPath = "/my-account/"
--
2.23.0

26 changes: 4 additions & 22 deletions nixos/tests/common/letsencrypt/common.nix
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,9 @@
{ lib, nodes, ... }: {
{ lib, nodes, pkgs, ... }: let
letsencrypt-ca = nodes.letsencrypt.config.test-support.letsencrypt.caCert;
in {
networking.nameservers = [
nodes.letsencrypt.config.networking.primaryIPAddress
];

nixpkgs.overlays = lib.singleton (self: super: {
cacert = super.cacert.overrideDerivation (drv: {
installPhase = (drv.installPhase or "") + ''
cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \
>> "$out/etc/ssl/certs/ca-bundle.crt"
'';
});

# Override certifi so that it accepts fake certificate for Let's Encrypt
# Need to override the attribute used by simp_le, which is python3Packages
python3Packages = (super.python3.override {
packageOverrides = lib.const (pysuper: {
certifi = pysuper.certifi.overridePythonAttrs (attrs: {
postPatch = (attrs.postPatch or "") + ''
cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \
> certifi/cacert.pem
'';
});
});
}).pkgs;
});
security.pki.certificateFiles = [ letsencrypt-ca ];
}
Loading