From b7d060d10d6e5089c9d7f0c889845bb936c4f961 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 10 May 2024 00:50:43 +0200 Subject: [PATCH] nixos/nginx: fix reference to acme cert hostname The change introduced in #308303 refers to the virtualHosts attrset key which can be any string. The servername is the actual primary hostname used for the certificate. This fixes use cases like: services.nginx.virualHosts.foobar.serverName = "my.fqdn.org"; --- .../services/web-servers/nginx/default.nix | 2 +- nixos/tests/acme.nix | 32 ++++++++++++------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 08fab09e1e55..fd940cfe459a 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -352,7 +352,7 @@ let # The acme-challenge location doesn't need to be added if we are not using any automated # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge - acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName; + acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName; acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null) # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # We use ^~ here, so that we don't check any regexes (which could diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index d63a77fcdd23..511d3c589fae 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -99,7 +99,14 @@ serverAliases = [ "${server}-wildcard-alias.example.test" ]; useACMEHost = "example.test"; }; - }; + } // (lib.optionalAttrs (server == "nginx") { + # The nginx module supports using a different key than the hostname + different-key = vhostBaseData // { + serverName = "${server}-different-key.example.test"; + serverAliases = [ "${server}-different-key-alias.example.test" ]; + enableACME = true; + }; + }); }; # Used to determine if service reload was triggered @@ -653,20 +660,20 @@ in { webserver.succeed("systemctl restart caddy.service") check_connection_key_bits(client, "a.example.test", "384") - domains = ["http", "dns", "wildcard"] - for server, logsrc in [ - ("nginx", "journalctl -n 30 -u nginx.service"), - ("httpd", "tail -n 30 /var/log/httpd/*.log"), + common_domains = ["http", "dns", "wildcard"] + for server, logsrc, domains in [ + ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]), + ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains), ]: wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service") with subtest(f"Works with {server}"): try: switch_to(webserver, server) - # Skip wildcard domain for this check ([:-1]) - for domain in domains[:-1]: - webserver.wait_for_unit( - f"acme-finished-{server}-{domain}.example.test.target" - ) + for domain in domains: + if domain != "wildcard": + webserver.wait_for_unit( + f"acme-finished-{server}-{domain}.example.test.target" + ) except Exception as err: _, output = webserver.execute( f"{logsrc} && ls -al /var/lib/acme/acme-challenge" @@ -676,8 +683,9 @@ in { wait_for_server() - for domain in domains[:-1]: - check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") + for domain in domains: + if domain != "wildcard": + check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") for domain in domains: check_connection(client, f"{server}-{domain}.example.test") check_connection(client, f"{server}-{domain}-alias.example.test")