mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-25 20:34:52 +03:00
Merge pull request #101370 from m1cr0man/ssl-test-certs
nixos/acme: Permissions and tests fixes
This commit is contained in:
commit
2b06415ca1
@ -63,7 +63,7 @@ let
|
|||||||
script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: ''
|
script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: ''
|
||||||
for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do
|
for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do
|
||||||
if [ -d "$fixpath" ]; then
|
if [ -d "$fixpath" ]; then
|
||||||
chmod -R 750 "$fixpath"
|
chmod -R u=rwX,g=rX,o= "$fixpath"
|
||||||
chown -R acme:${data.group} "$fixpath"
|
chown -R acme:${data.group} "$fixpath"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -271,7 +271,7 @@ let
|
|||||||
|
|
||||||
mv domainhash.txt certificates/
|
mv domainhash.txt certificates/
|
||||||
chmod 640 certificates/*
|
chmod 640 certificates/*
|
||||||
chmod -R 700 accounts/*
|
chmod -R u=rwX,g=,o= accounts/*
|
||||||
|
|
||||||
# Group might change between runs, re-apply it
|
# Group might change between runs, re-apply it
|
||||||
chown 'acme:${data.group}' certificates/*
|
chown 'acme:${data.group}' certificates/*
|
||||||
|
21
nixos/tests/common/acme/server/README.md
Normal file
21
nixos/tests/common/acme/server/README.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# Fake Certificate Authority for ACME testing
|
||||||
|
|
||||||
|
This will set up a test node running [pebble](https://github.com/letsencrypt/pebble)
|
||||||
|
to serve ACME certificate requests.
|
||||||
|
|
||||||
|
## "Snake oil" certs
|
||||||
|
|
||||||
|
The snake oil certs are hard coded into the repo for reasons explained [here](https://github.com/NixOS/nixpkgs/pull/91121#discussion_r505410235).
|
||||||
|
The root of the issue is that Nix will hash the derivation based on the arguments
|
||||||
|
to mkDerivation, not the output. [Minica](https://github.com/jsha/minica) will
|
||||||
|
always generate a random certificate even if the arguments are unchanged. As a
|
||||||
|
result, it's possible to end up in a situation where the cached and local
|
||||||
|
generated certs mismatch and cause issues with testing.
|
||||||
|
|
||||||
|
To generate new certificates, run the following commands:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix-build generate-certs.nix
|
||||||
|
cp result/* .
|
||||||
|
rm result
|
||||||
|
```
|
19
nixos/tests/common/acme/server/acme.test.cert.pem
Normal file
19
nixos/tests/common/acme/server/acme.test.cert.pem
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDLDCCAhSgAwIBAgIIRDAN3FHH//IwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
|
||||||
|
AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMB4XDTIwMTAyMTEzMjgzNloXDTIyMTEy
|
||||||
|
MDEzMjgzNlowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF
|
||||||
|
AAOCAQ8AMIIBCgKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9
|
||||||
|
Z4Xu5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeH
|
||||||
|
pImHO/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCN
|
||||||
|
Xf/LjIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/l
|
||||||
|
EnHrkcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOY
|
||||||
|
H+RfQfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABo3YwdDAOBgNVHQ8B
|
||||||
|
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
|
||||||
|
/wQCMAAwHwYDVR0jBBgwFoAU+8IZlLV/Qp5CXqpXMLvtxWlxcJwwFAYDVR0RBA0w
|
||||||
|
C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQB0pe8I5/VDkB5VMgQB2GJV
|
||||||
|
GKzyigfWbVez9uLmqMj9PPP/zzYKSYeq+91aMuOZrnH7NqBxSTwanULkmqAmhbJJ
|
||||||
|
YkXw+FlFekf9FyxcuArzwzzNZDSGcjcdXpN8S2K1qkBd00iSJF9kU7pdZYCIKR20
|
||||||
|
QirdBrELEfsJ3GU62a6N3a2YsrisZUvq5TbjGJDcytAtt+WG3gmV7RInLdFfPwbw
|
||||||
|
bEHPCnx0uiV0nxLjd/aVT+RceVrFQVt4hR99jLoMlBitSKluZ1ljsrpIyroBhQT0
|
||||||
|
pp/pVi6HJdijG0fsPrC325NEGAwcpotLUhczoeM/rffKJd54wLhDkfYxOyRZXivs
|
||||||
|
-----END CERTIFICATE-----
|
27
nixos/tests/common/acme/server/acme.test.key.pem
Normal file
27
nixos/tests/common/acme/server/acme.test.key.pem
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9Z4Xu
|
||||||
|
5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeHpImH
|
||||||
|
O/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCNXf/L
|
||||||
|
jIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/lEnHr
|
||||||
|
kcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOYH+Rf
|
||||||
|
QfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABAoIBADox/2FwVFo8ioS4
|
||||||
|
R+Ex5OZjMAcjU6sX/516jTmlT05q2+UFerYgqB/YqXqtW/V9/brulN8VhmRRuRbO
|
||||||
|
grq9TBu5o3hMDK0f18EkZB/MBnLbx594H033y6gEkPBZAyhRYtuNOEH3VwxdZhtW
|
||||||
|
1Lu1EoiYSUqLcNMBy6+KWJ8GRaXyacMYBlj2lMHmyzkA/t1+2mwTGC3lT6zN0F5Y
|
||||||
|
E5umXOxsn6Tb6q3KM9O5IvtmMMKpgj4HIHZLZ6j40nNgHwGRaAv4Sha/vx0DeBw3
|
||||||
|
6VlNiTTPdShEkhESlM5/ocqTfI92VHJpM5gkqTYOWBi2aKIPfAopXoqoJdWl4pQ/
|
||||||
|
NCFIu2ECgYEAzntNKIcQtf0ewe0/POo07SIFirvz6jVtYNMTzeQfL6CoEjYArJeu
|
||||||
|
Vzc4wEQfA4ZFVerBb1/O6M449gI3zex1PH4AX0h8q8DSjrppK1Jt2TnpVh97k7Gg
|
||||||
|
Tnat/M/yW3lWYkcMVJJ3AYurXLFTT1dYP0HvBwZN04yInrEcPNXKfmcCgYEAywyJ
|
||||||
|
51d4AE94PrANathKqSI/gk8sP+L1gzylZCcUEAiGk/1r45iYB4HN2gvWbS+CvSdp
|
||||||
|
F7ShlDWrTaNh2Bm1dgTjc4pWb4J+CPy/KN2sgLwIuM4+ZWIZmEDcio6khrM/gNqK
|
||||||
|
aR7xUsvWsqU26O84woY/xR8IHjSNF7cFWE1H2c8CgYEAt6SSi2kVQ8dMg84uYE8t
|
||||||
|
o3qO00U3OycpkOQqyQQLeKC62veMwfRl6swCfX4Y11mkcTXJtPTRYd2Ia8StPUkB
|
||||||
|
PDwUuKoPt/JXUvoYb59wc7M+BIsbrdBdc2u6cw+/zfutCNuH6/AYSBeg4WAVaIuW
|
||||||
|
wSwzG1xP+8cR+5IqOzEqWCECgYATweeVTCyQEyuHJghYMi2poXx+iIesu7/aAkex
|
||||||
|
pB/Oo5W8xrb90XZRnK7UHbzCqRHWqAQQ23Gxgztk9ZXqui2vCzC6qGZauV7cLwPG
|
||||||
|
zTMg36sVmHP314DYEM+k59ZYiQ6P0jQPoIQo407D2VGrfsOOIhQIcUmP7tsfyJ5L
|
||||||
|
hlGMfwKBgGq4VNnnuX8I5kl03NpaKfG+M8jEHmVwtI9RkPTCCX9bMjeG0cDxqPTF
|
||||||
|
TRkf3r8UWQTZ5QfAfAXYAOlZvmGhHjSembRbXMrMdi3rGsYRSrQL6n5NHnORUaMy
|
||||||
|
FCWo4gyAnniry7tx9dVNgmHmbjEHuQnf8AC1r3dibRCjvJWUiQ8H
|
||||||
|
-----END RSA PRIVATE KEY-----
|
20
nixos/tests/common/acme/server/ca.cert.pem
Normal file
20
nixos/tests/common/acme/server/ca.cert.pem
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDSzCCAjOgAwIBAgIIeHRvRrNvbGQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
|
||||||
|
AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMCAXDTIwMTAyMTEzMjgzNloYDzIxMjAx
|
||||||
|
MDIxMTMyODM2WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3ODc0NmYwggEi
|
||||||
|
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrNTzVLDJOKtGYGLU98EEcLKps
|
||||||
|
tXHCLC6G54LKbEcU80fn+ArX8qsPSHyhdXQkcYjq6Vh/EDJ1TctyRSnvAjwyG4Aa
|
||||||
|
1Zy1QFc/JnjMjvzimCkUc9lQ+wkLwHSM/KGwR1cGjmtQ/EMClZTA0NwulJsXMKVz
|
||||||
|
bd5asXbq/yJTQ5Ww25HtdNjwRQXTvB7r3IKcY+DsED9CvFvC9oG/ZhtZqZuyyRdC
|
||||||
|
kFUrrv8WNUDkWSN+lMR6xMx8v0583IN6f11IhX0b+svK98G81B2eswBdkzvVyv9M
|
||||||
|
unZBO0JuJG8sdM502KhWLmzBC1ZbvgUBF9BumDRpMFH4DCj7+qQ2taWeGyc7AgMB
|
||||||
|
AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
|
||||||
|
BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBT7whmUtX9CnkJe
|
||||||
|
qlcwu+3FaXFwnDAfBgNVHSMEGDAWgBT7whmUtX9CnkJeqlcwu+3FaXFwnDANBgkq
|
||||||
|
hkiG9w0BAQsFAAOCAQEARMe1wKmF33GjEoLLw0oDDS4EdAv26BzCwtrlljsEtwQN
|
||||||
|
95oSzUNd6o4Js7WCG2o543OX6cxzM+yju8TES3+vJKDgsbNMU0bWCv//tdrb0/G8
|
||||||
|
OkU3Kfi5q4fOauZ1pqGv/pXdfYhZ5ieB/zwis3ykANe5JfB0XqwCb1Vd0C3UCIS2
|
||||||
|
NPKngRwNSzphIsbzfvxGDkdM1enuGl5CVyDhrwTMqGaJGDSOv6U5jKFxKRvigqTN
|
||||||
|
Ls9lPmT5NXYETduWLBR3yUIdH6kZXrcozZ02B9vjOB2Cv4RMDc+9eM30CLIWpf1I
|
||||||
|
097e7JkhzxFhfC/bMMt3P1FeQc+fwH91wdBmNi7tQw==
|
||||||
|
-----END CERTIFICATE-----
|
27
nixos/tests/common/acme/server/ca.key.pem
Normal file
27
nixos/tests/common/acme/server/ca.key.pem
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAqzU81SwyTirRmBi1PfBBHCyqbLVxwiwuhueCymxHFPNH5/gK
|
||||||
|
1/KrD0h8oXV0JHGI6ulYfxAydU3LckUp7wI8MhuAGtWctUBXPyZ4zI784pgpFHPZ
|
||||||
|
UPsJC8B0jPyhsEdXBo5rUPxDApWUwNDcLpSbFzClc23eWrF26v8iU0OVsNuR7XTY
|
||||||
|
8EUF07we69yCnGPg7BA/QrxbwvaBv2YbWambsskXQpBVK67/FjVA5FkjfpTEesTM
|
||||||
|
fL9OfNyDen9dSIV9G/rLyvfBvNQdnrMAXZM71cr/TLp2QTtCbiRvLHTOdNioVi5s
|
||||||
|
wQtWW74FARfQbpg0aTBR+Awo+/qkNrWlnhsnOwIDAQABAoIBAA3ykVkgd5ysmlSU
|
||||||
|
trcsCnHcJaojgff6l3PACoSpG4VWaGY6a8+54julgRm6MtMBONFCX0ZCsImj484U
|
||||||
|
Wl0xRmwil2YYPuL5MeJgJPktMObY1IfpBCw3tz3w2M3fiuCMf0d2dMGtO1xLiUnH
|
||||||
|
+hgFXTkfamsj6ThkOrbcQBSebeRxbKM5hqyCaQoieV+0IJnyxUVq/apib8N50VsH
|
||||||
|
SHd4oqLUuEZgg6N70+l5DpzedJUb4nrwS/KhUHUBgnoPItYBCiGPmrwLk7fUhPs6
|
||||||
|
kTDqJDtc/xW/JbjmzhWEpVvtumcC/OEKULss7HLdeQqwVBrRQkznb0M9AnSra3d0
|
||||||
|
X11/Y4ECgYEA3FC8SquLPFb2lHK4+YbJ4Ac6QVWeYFEHiZ0Rj+CmONmjcAvOGLPE
|
||||||
|
SblRLm3Nbrkxbm8FF6/AfXa/rviAKEVPs5xqGfSDw/3n1uInPcmShiBCLwM/jHH5
|
||||||
|
NeVG+R5mTg5zyQ/pQMLWRcs+Ail+ZAnZuoGpW3Cdc8OtCUYFQ7XB6nsCgYEAxvBJ
|
||||||
|
zFxcTtsDzWbMWXejugQiUqJcEbKWwEfkRbf3J2rAVO2+EFr7LxdRfN2VwPiTQcWc
|
||||||
|
LnN2QN+ouOjqBMTh3qm5oQY+TLLHy86k9g1k0gXWkMRQgP2ZdfWH1HyrwjLUgLe1
|
||||||
|
VezFN7N1azgy6xFkInAAvuA4loxElZNvkGBgekECgYA/Xw26ILvNIGqO6qzgQXAh
|
||||||
|
+5I7JsiGheg4IjDiBMlrQtbrLMoceuD0H9UFGNplhel9DXwWgxxIOncKejpK2x0A
|
||||||
|
2fX+/0FDh+4+9hA5ipiV8gN3iGSoHkSDxy5yC9d7jlapt+TtFt4Rd1OfxZWwatDw
|
||||||
|
/8jaH3t6yAcmyrhK8KYVrwKBgAE5KwsBqmOlvyE9N5Z5QN189wUREIXfVkP6bTHs
|
||||||
|
jq2EX4hmKdwJ4y+H8i1VY31bSfSGlY5HkXuWpH/2lrHO0CDBZG3UDwADvWzIaYVF
|
||||||
|
0c/kz0v2mRQh+xaZmus4lQnNrDbaalgL666LAPbW0qFVaws3KxoBYPe0BxvwWyhF
|
||||||
|
H3LBAoGBAKRRNsq2pWQ8Gqxc0rVoH0FlexU9U2ci3lsLmgEB0A/o/kQkSyAxaRM+
|
||||||
|
VdKp3sWfO8o8lX5CVQslCNBSjDTNcat3Co4NEBLg6Xv1yKN/WN1GhusnchP9szsP
|
||||||
|
oU47gC89QhUyWSd6vvr2z2NG9C3cACxe4dhDSHQcE4nHSldzCKv2
|
||||||
|
-----END RSA PRIVATE KEY-----
|
@ -51,10 +51,7 @@
|
|||||||
# that it has to be started _before_ the ACME service.
|
# that it has to be started _before_ the ACME service.
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
testCerts = import ./snakeoil-certs.nix {
|
testCerts = import ./snakeoil-certs.nix;
|
||||||
minica = pkgs.minica;
|
|
||||||
mkDerivation = pkgs.stdenv.mkDerivation;
|
|
||||||
};
|
|
||||||
domain = testCerts.domain;
|
domain = testCerts.domain;
|
||||||
|
|
||||||
resolver = let
|
resolver = let
|
||||||
|
29
nixos/tests/common/acme/server/generate-certs.nix
Normal file
29
nixos/tests/common/acme/server/generate-certs.nix
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# Minica can provide a CA key and cert, plus a key
|
||||||
|
# and cert for our fake CA server's Web Front End (WFE).
|
||||||
|
{
|
||||||
|
pkgs ? import <nixpkgs> {},
|
||||||
|
minica ? pkgs.minica,
|
||||||
|
mkDerivation ? pkgs.stdenv.mkDerivation
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
conf = import ./snakeoil-certs.nix;
|
||||||
|
domain = conf.domain;
|
||||||
|
in mkDerivation {
|
||||||
|
name = "test-certs";
|
||||||
|
buildInputs = [ minica ];
|
||||||
|
phases = [ "buildPhase" "installPhase" ];
|
||||||
|
|
||||||
|
buildPhase = ''
|
||||||
|
minica \
|
||||||
|
--ca-key ca.key.pem \
|
||||||
|
--ca-cert ca.cert.pem \
|
||||||
|
--domains ${domain}
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out
|
||||||
|
mv ca.*.pem $out/
|
||||||
|
mv ${domain}/key.pem $out/${domain}.key.pem
|
||||||
|
mv ${domain}/cert.pem $out/${domain}.cert.pem
|
||||||
|
'';
|
||||||
|
}
|
@ -1,37 +1,13 @@
|
|||||||
# Minica can provide a CA key and cert, plus a key
|
|
||||||
# and cert for our fake CA server's Web Front End (WFE).
|
|
||||||
{ minica, mkDerivation }:
|
|
||||||
let
|
let
|
||||||
domain = "acme.test";
|
domain = "acme.test";
|
||||||
|
|
||||||
selfSignedCertData = mkDerivation {
|
|
||||||
name = "test-certs";
|
|
||||||
buildInputs = [ minica ];
|
|
||||||
phases = [ "buildPhase" "installPhase" ];
|
|
||||||
|
|
||||||
buildPhase = ''
|
|
||||||
mkdir ca
|
|
||||||
minica \
|
|
||||||
--ca-key ca/key.pem \
|
|
||||||
--ca-cert ca/cert.pem \
|
|
||||||
--domains ${domain}
|
|
||||||
chmod 600 ca/*
|
|
||||||
chmod 640 ${domain}/*.pem
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out
|
|
||||||
mv ${domain} ca $out/
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
in {
|
in {
|
||||||
inherit domain;
|
inherit domain;
|
||||||
ca = {
|
ca = {
|
||||||
cert = "${selfSignedCertData}/ca/cert.pem";
|
cert = ./ca.cert.pem;
|
||||||
key = "${selfSignedCertData}/ca/key.pem";
|
key = ./ca.key.pem;
|
||||||
};
|
};
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
cert = "${selfSignedCertData}/${domain}/cert.pem";
|
cert = ./. + "/${domain}.cert.pem";
|
||||||
key = "${selfSignedCertData}/${domain}/key.pem";
|
key = ./. + "/${domain}.key.pem";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user