Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] ACME test cleanups #85584

Merged
merged 6 commits into from Apr 19, 2020
Merged

[20.03] ACME test cleanups #85584

merged 6 commits into from Apr 19, 2020

Conversation

emilazy
Copy link
Member

@emilazy emilazy commented Apr 19, 2020

Motivation for this change

Backport of #85503, with nestingspecialisation changes reverted.

cc @flokli

@GrahamcOfBorg test acme

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@emilazy
pebble: v2.2.2 -> v2.3.0
e1c41b8 
Also add myself to maintainers and correct meta.homepage.

(cherry picked from commit 6285d5e)
@emilazy
nixos/tests/common/acme: enable Pebble strict mode
b0d26e9 
This lets us get early warning about any bugs or backwards-compatibility
hazards in lego.

Pebble will default to this in the future, but doesn't currently;
see https://github.com/letsencrypt/pebble/blob/v2.3.0/README.md#strict-mode.

(cherry picked from commit e6d5e83)
@emilazy
nixos/tests/acme: don't restrict to x86_64
8283094 
This was added in aade4e5, but the
implementation of the ACME module has been entirely rewritten since
then, and the test seems to run fine on AArch64.

(cherry picked from commit 352e30d)
@emilazy
nixos/tests/acme: use *.test domains
2b8100d 
Shimming out the Let's Encrypt domain name to reuse client configuration
doesn't work properly (Pebble uses different endpoint URL formats), is
recommended against by upstream,[1] and is unnecessary now that the ACME
module supports specifying an ACME server. This commit changes the tests
to use the domain name acme.test instead, and renames the letsencrypt
node to acme to reflect that it has nothing to do with the ACME server
that Let's Encrypt runs. The imports are renamed for clarity:

* nixos/tests/common/{letsencrypt => acme}/{common.nix => client}
* nixos/tests/common/{letsencrypt => acme}/{default.nix => server}

The test's other domain names are also adjusted to use *.test for
consistency (and to avoid misuse of non-reserved domain names such
as standalone.com).

[1] letsencrypt/pebble#283 (comment)

Co-authored-by: Yegor Timoshenko <yegortimoshenko@riseup.net>
(cherry picked from commit d0f04c1)
@emilazy
nixos/tests/acme: use CAP_NET_BIND_SERVICE
60e6ba6 
(cherry picked from commit 695fd78)
@emilazy
nixos/tests/common/acme: don't set nameservers for client
f035e26 
The resolver is mainly useful for the ACME server, and acme.nix uses its
own DNS server to test DNS-01 challenges.

(cherry picked from commit 21f183a)
@flokli flokli merged commit 426646c into NixOS:release-20.03 Apr 19, 2020
@emilazy emilazy deleted the acme-test-cleanups-20.03 branch April 19, 2020 22:34
@emilazy
Copy link
Member Author

emilazy commented Apr 19, 2020

Thanks for getting these merged!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@emilazy @flokli