From 87403a0b078d62245de7d619f2b71d2a0c78675a Mon Sep 17 00:00:00 2001 From: Lucas Savva Date: Fri, 26 Nov 2021 21:57:31 +0000 Subject: [PATCH] nixos/acme: Add a human readable error on run failure Closes NixOS/nixpkgs#108237 When a user first adds an ACME cert to their configuration, it's likely to fail to renew due to DNS misconfig. This is non-fatal for other services since selfsigned certs are (usually) put in place to let dependant services start. Tell the user about this in the logs, and exit 2 for differentiation purposes. --- nixos/modules/security/acme.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index dcea137b52e9..be4762da8d13 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -391,8 +391,13 @@ let fi # Otherwise do a full run - else - lego ${runOpts} + elif ! lego ${runOpts}; then + # Produce a nice error for those doing their first nixos-rebuild with these certs + echo Failed to fetch certificates. \ + This may mean your DNS records are set up incorrectly. \ + ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."} + # Exit 2 so that users can potentially amend SuccessExitStatus to ignore this error. + exit 2 fi mv domainhash.txt certificates/