Skip to content

nixos/acme: support "full.pem" (for lighttpd) #26459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

nixos/acme: support "full.pem" (for lighttpd) #26459

wants to merge 2 commits into from
+38 −26

Conversation

bjornfor
Copy link
Contributor

@bjornfor bjornfor commented Jun 7, 2017

Motivation for this change

Be able to use letsencrypt / ACME certificates with lighttpd on NixOS.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@bjornfor
nixos/acme: support "full.pem" (for lighttpd)
9d77a4e 
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
@bjornfor bjornfor added 0.kind: enhancement Add something new 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS labels Jun 7, 2017
fpletz
fpletz approved these changes Jun 7, 2017
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I just noticed that we're not checking if a plugin is enabled before chown/chmodding the pem files.

@fpletz fpletz requested a review from abbradar June 7, 2017 20:55
@bjornfor
nixos/acme: improve documentation
bb9cf89 
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
@bjornfor
Copy link
Contributor Author

bjornfor commented Jun 8, 2017

@fpletz: It seems the chown/chmod is only done on the selfsigned certificates, and those are created independently of what kind of plugins are enabled. (It may be cleaner if the selfsigned certificates were created based on the selected plugins, but that's a separate issue.)

Another possible concern: The webservers are configured to depend unconditionally on the selfsigned certificates target ("acme-selfsigned-certificates.target"). What happens if security.acme.preliminarySelfsigned = false? I'll test later today.

@bjornfor
Copy link
Contributor Author

bjornfor commented Jun 8, 2017

What happens if security.acme.preliminarySelfsigned = false? I'll test later today.

I grepped the journal for "lighttpd|systemd" after rebuilding my system with this config. There were no warnings/errors related to missing acme-selfsigned-certificates.target. So I guess we can leave that as is.

abbradar
abbradar approved these changes Jun 8, 2017
View reviewed changes
Copy link
Member

@abbradar abbradar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! ch{own,mod}s are indeed done only for self-signed certificates -- we can improve that later but it doesn't seem serious.

@bjornfor
Copy link
Contributor Author

bjornfor commented Jun 9, 2017

Thanks! Applied to master (7a0e958, 6a55fda).

@bjornfor bjornfor closed this Jun 9, 2017
@bjornfor bjornfor deleted the nixos-letsencrypt-full-pem branch June 9, 2017 17:41
@fpletz
Copy link
Member

fpletz commented Jun 10, 2017

Thank you both! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz

@abbradar abbradar

Assignees
No one assigned
Labels
0.kind: enhancement Add something new 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bjornfor @fpletz @abbradar