Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acme service: generate a CA for self-signed certificate #38372

Merged
merged 1 commit into from Apr 17, 2018
Merged

acme service: generate a CA for self-signed certificate #38372

merged 1 commit into from Apr 17, 2018

Conversation

abbradar
Copy link
Member

@abbradar abbradar commented Apr 3, 2018

Motivation for this change

This is needed because simp_le expects two certificates in fullchain.pem, leading to error:

Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

We now create a CA and sign the key with it instead, providing correct fullchain.pem.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

cc @vcunat @fpletz -- this is a potentially serious release issue. security.acme with fullchain.pem (e.g. nginx's enableACME) doesn't work at all on new servers now.

Tested on a fresh server with clean /var/lib/acme using nginx's enableACME.

@abbradar abbradar added this to the 18.03 milestone Apr 3, 2018
@abbradar
acme service: generate a CA for self-signed certificate
63c7abe 
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:

> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

We now create a CA and sign the key with it instead, providing correct fullchain.pem.

Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
@dotlambda dotlambda mentioned this pull request Apr 3, 2018
Open
@dotlambda
Copy link
Member

@GrahamcOfBorg test acme

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: tests.acme

Partial log (click to expand)

building path(s) ‘/nix/store/9wylh3h3jawwkh8fl9n86ps6bhhary25-etc’
building path(s) ‘/nix/store/36b6xnw5czdv4ii7bvrrd8lhqp6446mq-nixos-system-letsencrypt-18.09.git.129dfe8’
building path(s) ‘/nix/store/vp5qns0wxbd7fhxzndicn9rbhzmx34pa-closure-info’
/nix/store/aj9rz4k3xvg8q9fzqfnb0q123707zp0n-builder: line 1: .attrs.sh: No such file or directory
builder for ‘/nix/store/i0dangqfm60204nq2nigf232j88myyy4-closure-info.drv’ failed with exit code 1
cannot build derivation ‘/nix/store/7mcxgd7gck3mannmg4gsj4bh38vvcd23-run-nixos-vm.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/pkg019k28f56lv87z06vr97x65y4n7b0-nixos-vm.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/xm0nap8dcsqz0fvdnym0xpm3x11ndacn-nixos-test-driver-acme.drv’: 3 dependencies couldn't be built
cannot build derivation ‘/nix/store/wfs01vg45plkvwhh1lxfia7h9xf2wp4c-vm-test-run-acme.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/wfs01vg45plkvwhh1lxfia7h9xf2wp4c-vm-test-run-acme.drv’ failed

@abbradar
Copy link
Member Author

abbradar commented Apr 5, 2018

Didn't know we have a test for ACME. I'll check it out, thanks (issue looks unrelated now).

@dotlambda
Copy link
Member

The test works for me locally. Let's try again.

@GrahamcOfBorg eval
@GrahamcOfBorg test acme

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: tests.acme

Partial log (click to expand)

cannot build derivation ‘/nix/store/sl23xd70b2bgwdbsbzypmsqxs6vr7fvg-nixos-vm.drv’: 1 dependencies couldn't be built
building path(s) ‘/nix/store/fh86kc2fz32cjp482mckmzhq0fjjx9di-nixos-system-letsencrypt-18.09.git.87dbf56’
building path(s) ‘/nix/store/a0mlbbkvlvpba3q73yyjc9qlrpir91ch-closure-info’
/nix/store/aj9rz4k3xvg8q9fzqfnb0q123707zp0n-builder: line 1: .attrs.sh: No such file or directory
builder for ‘/nix/store/5v9x1rpshqlajvcig22fgj6x8nlld6l2-closure-info.drv’ failed with exit code 1
cannot build derivation ‘/nix/store/205vfldd1xx0kyhn8n95ws761cmy6m0l-run-nixos-vm.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/wkkkrbq2f40x0926n0xfnxgcp03mbdr1-nixos-vm.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/6fy0hiwfgzf23dfg7bxdpqzbgjsc8yaw-nixos-test-driver-acme.drv’: 3 dependencies couldn't be built
cannot build derivation ‘/nix/store/6y0c5fck47rqwm1ra41ldzazmf5kgvsg-vm-test-run-acme.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/6y0c5fck47rqwm1ra41ldzazmf5kgvsg-vm-test-run-acme.drv’ failed

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@wmertens
Copy link
Contributor

The test error seems to be

/nix/store/aj9rz4k3xvg8q9fzqfnb0q123707zp0n-builder: line 1: .attrs.sh: No such file or directory

...which seems unrelated.

The changes look good to me.

@abbradar
Copy link
Member Author

Merging this in several days unless there's an issue.

@dotlambda
Copy link
Member

Shouldn't this be fixed upstream or is there reason to expect two certificates?
Maybe we can just patch the check out rather than adapting the module?

@abbradar
Copy link
Member Author

@dotlambda I don't think this is an upstream issue -- they expect their own generated files to be there after all. We can patch the check but I liked the approach of making our self-signed certificates closer to the actual ones more -- no hard opinion here though.

@wmertens
Copy link
Contributor

wmertens commented Apr 11, 2018 via email

@abbradar
Copy link
Member Author

@wmertens The point is to make some test certificates so that nginx can start (it fails otherwise without a cert at all) and simp_le can then replace them with proper certs.

@wmertens
Copy link
Contributor

wmertens commented Apr 11, 2018 via email

@abbradar
Copy link
Member Author

@wmertens Filed zenhack/simp_le#105

@abbradar abbradar merged commit 4fc0b4e into NixOS:master Apr 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wmertens wmertens wmertens approved these changes

Assignees
No one assigned
Labels
0.kind: bug 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
18.03
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@abbradar @dotlambda @GrahamcOfBorg @wmertens