nixos/nginx: fix reference to acme cert hostname

The change introduced in #308303 refers to the virtualHosts attrset
key which can be any string. The servername is the actual primary
hostname used for the certificate.

This fixes use cases like:

    services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
This commit is contained in:
Franz Pletz 2024-05-10 00:50:43 +02:00
parent cc40af1ab3
commit b7d060d10d
No known key found for this signature in database
GPG key ID: 846FDED7792617B4
2 changed files with 21 additions and 13 deletions

View file

@ -352,7 +352,7 @@ let
# The acme-challenge location doesn't need to be added if we are not using any automated # The acme-challenge location doesn't need to be added if we are not using any automated
# certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge
acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName; acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName;
acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null) acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null)
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check any regexes (which could # We use ^~ here, so that we don't check any regexes (which could

View file

@ -99,7 +99,14 @@
serverAliases = [ "${server}-wildcard-alias.example.test" ]; serverAliases = [ "${server}-wildcard-alias.example.test" ];
useACMEHost = "example.test"; useACMEHost = "example.test";
}; };
} // (lib.optionalAttrs (server == "nginx") {
# The nginx module supports using a different key than the hostname
different-key = vhostBaseData // {
serverName = "${server}-different-key.example.test";
serverAliases = [ "${server}-different-key-alias.example.test" ];
enableACME = true;
}; };
});
}; };
# Used to determine if service reload was triggered # Used to determine if service reload was triggered
@ -653,17 +660,17 @@ in {
webserver.succeed("systemctl restart caddy.service") webserver.succeed("systemctl restart caddy.service")
check_connection_key_bits(client, "a.example.test", "384") check_connection_key_bits(client, "a.example.test", "384")
domains = ["http", "dns", "wildcard"] common_domains = ["http", "dns", "wildcard"]
for server, logsrc in [ for server, logsrc, domains in [
("nginx", "journalctl -n 30 -u nginx.service"), ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]),
("httpd", "tail -n 30 /var/log/httpd/*.log"), ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains),
]: ]:
wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service") wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")
with subtest(f"Works with {server}"): with subtest(f"Works with {server}"):
try: try:
switch_to(webserver, server) switch_to(webserver, server)
# Skip wildcard domain for this check ([:-1]) for domain in domains:
for domain in domains[:-1]: if domain != "wildcard":
webserver.wait_for_unit( webserver.wait_for_unit(
f"acme-finished-{server}-{domain}.example.test.target" f"acme-finished-{server}-{domain}.example.test.target"
) )
@ -676,7 +683,8 @@ in {
wait_for_server() wait_for_server()
for domain in domains[:-1]: for domain in domains:
if domain != "wildcard":
check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")
for domain in domains: for domain in domains:
check_connection(client, f"{server}-{domain}.example.test") check_connection(client, f"{server}-{domain}.example.test")