nixos/nginx: fix reference to acme cert hostname

The change introduced in #308303 refers to the virtualHosts attrset key which can be any string. The servername is the actual primary hostname used for the certificate. This fixes use cases like: services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
2024-05-10 00:50:43 +02:00 · 2024-05-10 00:50:43 +02:00 · b7d060d10d
commit b7d060d10d
parent cc40af1ab3
2 changed files with 21 additions and 13 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -352,7 +352,7 @@ let
        # The acme-challenge location doesn't need to be added if we are not using any automated
        # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge
-        acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName;
+        acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName;
        acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null)
          # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
          # We use ^~ here, so that we don't check any regexes (which could
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@ -99,7 +99,14 @@
              serverAliases = [ "${server}-wildcard-alias.example.test" ];
              useACMEHost = "example.test";
            };
          } // (lib.optionalAttrs (server == "nginx") {
            # The nginx module supports using a different key than the hostname
            different-key = vhostBaseData // {
              serverName = "${server}-different-key.example.test";
              serverAliases = [ "${server}-different-key-alias.example.test" ];
              enableACME = true;
            };
          });
        };
        # Used to determine if service reload was triggered
@ -653,17 +660,17 @@ in {
          webserver.succeed("systemctl restart caddy.service")
          check_connection_key_bits(client, "a.example.test", "384")
-      domains = ["http", "dns", "wildcard"]
+      common_domains = ["http", "dns", "wildcard"]
-      for server, logsrc in [
+      for server, logsrc, domains in [
-          ("nginx", "journalctl -n 30 -u nginx.service"),
+          ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]),
-          ("httpd", "tail -n 30 /var/log/httpd/*.log"),
+          ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains),
      ]:
          wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")
          with subtest(f"Works with {server}"):
              try:
                  switch_to(webserver, server)
-                  # Skip wildcard domain for this check ([:-1])
+                  for domain in domains:
-                  for domain in domains[:-1]:
+                      if domain != "wildcard":
                          webserver.wait_for_unit(
                              f"acme-finished-{server}-{domain}.example.test.target"
                          )
@ -676,7 +683,8 @@ in {
              wait_for_server()
-              for domain in domains[:-1]:
+              for domain in domains:
                  if domain != "wildcard":
                      check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")
              for domain in domains:
                  check_connection(client, f"{server}-{domain}.example.test")