New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acme service: generate a CA for self-signed certificate #38372
Conversation
This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
@GrahamcOfBorg test acme |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme Partial log (click to expand)
|
Failure on x86_64-linux (full log) Attempted: tests.acme Partial log (click to expand)
|
Didn't know we have a test for ACME. I'll check it out, thanks (issue looks unrelated now). |
The test works for me locally. Let's try again. @GrahamcOfBorg eval |
Failure on x86_64-linux (full log) Attempted: tests.acme Partial log (click to expand)
|
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme Partial log (click to expand)
|
The test error seems to be
...which seems unrelated. The changes look good to me. |
Merging this in several days unless there's an issue. |
Shouldn't this be fixed upstream or is there reason to expect two certificates? |
@dotlambda I don't think this is an upstream issue -- they expect their own generated files to be there after all. We can patch the check but I liked the approach of making our self-signed certificates closer to the actual ones more -- no hard opinion here though. |
So, why can't we just let simp_le do the certificate creation? Perhaps the
upstream issue should be that we can't use their stuff because of $reason?
…On Wed, Apr 11, 2018 at 5:15 PM Nikolay Amiantov ***@***.***> wrote:
@dotlambda <https://github.com/dotlambda> I don't think this is an
upstream issue -- they expect their own generated files to be there after
all. We can patch the check but I liked the approach of making our
self-signed certificates closer to the actual ones more -- no hard opinion
here though.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#38372 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADWlnEgPFQz0KSAAytPrvcfNW0KyhCvks5tnh4cgaJpZM4TEvPF>
.
|
@wmertens The point is to make some test certificates so that nginx can start (it fails otherwise without a cert at all) and |
Aha ok. Still, seems like it could be an upstream feature "please make some
temp certs where you will be writing the real ones"
…On Wed, Apr 11, 2018 at 5:35 PM Nikolay Amiantov ***@***.***> wrote:
@wmertens <https://github.com/wmertens> The point is to make *some* test
certificates so that nginx can start (it fails otherwise without a cert at
all) and simp_le can then replace them with proper certs.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#38372 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADWlkalx0GE48J36ZCKjrNr0ybRSangks5tniLSgaJpZM4TEvPF>
.
|
@wmertens Filed zenhack/simp_le#105 |
Motivation for this change
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:
We now create a CA and sign the key with it instead, providing correct fullchain.pem.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)cc @vcunat @fpletz -- this is a potentially serious release issue.
security.acme
withfullchain.pem
(e.g. nginx'senableACME
) doesn't work at all on new servers now.Tested on a fresh server with clean
/var/lib/acme
using nginx'senableACME
.