nixos/acme: Add a human readable error on run failure

Closes NixOS/nixpkgs#108237

When a user first adds an ACME cert to their configuration,
it's likely to fail to renew due to DNS misconfig. This is
non-fatal for other services since selfsigned certs are
(usually) put in place to let dependant services start.
Tell the user about this in the logs, and exit 2 for
differentiation purposes.
This commit is contained in:
Lucas Savva 2021-11-26 21:57:31 +00:00
parent a88d846b91
commit 87403a0b07
No known key found for this signature in database
GPG key ID: E4EC5BF2E2F116A2

View file

@ -391,8 +391,13 @@ let
fi
# Otherwise do a full run
else
lego ${runOpts}
elif ! lego ${runOpts}; then
# Produce a nice error for those doing their first nixos-rebuild with these certs
echo Failed to fetch certificates. \
This may mean your DNS records are set up incorrectly. \
${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
# Exit 2 so that users can potentially amend SuccessExitStatus to ignore this error.
exit 2
fi
mv domainhash.txt certificates/