Merge pull request #310452 from fpletz/nginx-acme-servername

nixos/nginx: fix reference to acme cert hostname

nixos/modules/services/web-servers/nginx/default.nix

@@ -352,7 +352,7 @@ let
 
         # The acme-challenge location doesn't need to be added if we are not using any automated
         # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge
-        acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName;
+        acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName;
         acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null)
           # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
           # We use ^~ here, so that we don't check any regexes (which could

nixos/tests/acme.nix

@@ -99,7 +99,14 @@
               serverAliases = [ "${server}-wildcard-alias.example.test" ];
               useACMEHost = "example.test";
             };
-          };
+          } // (lib.optionalAttrs (server == "nginx") {
+            # The nginx module supports using a different key than the hostname
+            different-key = vhostBaseData // {
+              serverName = "${server}-different-key.example.test";
+              serverAliases = [ "${server}-different-key-alias.example.test" ];
+              enableACME = true;
+            };
+          });
         };
 
         # Used to determine if service reload was triggered
@@ -653,20 +660,20 @@ in {
           webserver.succeed("systemctl restart caddy.service")
           check_connection_key_bits(client, "a.example.test", "384")
 
-      domains = ["http", "dns", "wildcard"]
+      common_domains = ["http", "dns", "wildcard"]
-      for server, logsrc in [
+      for server, logsrc, domains in [
-          ("nginx", "journalctl -n 30 -u nginx.service"),
+          ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]),
-          ("httpd", "tail -n 30 /var/log/httpd/*.log"),
+          ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains),
       ]:
           wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")
           with subtest(f"Works with {server}"):
               try:
                   switch_to(webserver, server)
-                  # Skip wildcard domain for this check ([:-1])
+                  for domain in domains:
-                  for domain in domains[:-1]:
+                      if domain != "wildcard":
-                      webserver.wait_for_unit(
+                          webserver.wait_for_unit(
-                          f"acme-finished-{server}-{domain}.example.test.target"
+                              f"acme-finished-{server}-{domain}.example.test.target"
-                      )
+                          )
               except Exception as err:
                   _, output = webserver.execute(
                       f"{logsrc} && ls -al /var/lib/acme/acme-challenge"
@@ -676,8 +683,9 @@ in {
 
               wait_for_server()
 
-              for domain in domains[:-1]:
+              for domain in domains:
-                  check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")
+                  if domain != "wildcard":
+                      check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")
               for domain in domains:
                   check_connection(client, f"{server}-{domain}.example.test")
                   check_connection(client, f"{server}-{domain}-alias.example.test")