diff options
| author | Lucas Savva <lucas@m1cr0man.com> | 2022-09-18 21:27:11 +0100 |
|---|---|---|
| committer | Winter <winter@winter.cafe> | 2022-10-06 10:30:24 -0400 |
| commit | 39796cad46f1d0b0a14e84a680ababf5ab1ff86d (patch) | |
| tree | bce414c8416529972401d5611d707f921b47f435 | |
| parent | 22d41f921fa82c891cc2522ffb90a303ecc8a115 (diff) | |
nixos/acme: Fix cert renewal with built in webserver
Fixes #191794 Lego threw a permission denied error binding to port 80. AmbientCapabilities with CAP_NET_BIND_SERVICE was required. Also added a test for this.
| -rw-r--r-- | nixos/modules/security/acme/default.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/acme.nix | 21 |
2 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 377b543c58136..45e4dab087ec6 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -325,6 +325,7 @@ let ''); } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) { CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; # Working directory will be /tmp diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index d3a436080ebff..a31cb12477a0b 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -173,6 +173,17 @@ in { services.nginx.logError = "stderr info"; specialisation = { + # Tests HTTP-01 verification using Lego's built-in web server + http01lego.configuration = { ... }: { + security.acme = { + certs."http.example.test" = { + listenHTTP = ":80"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + # First derivation used to test general ACME features general.configuration = { ... }: let caDomain = nodes.acme.test-support.acme.caDomain; @@ -446,7 +457,15 @@ in { download_ca_certs(client) - # Perform general tests first + # Perform http-01 w/ lego test first + switch_to(webserver, "http01lego") + + with subtest("Can request certificate with Lego's built in web server"): + webserver.wait_for_unit("acme-finished-http.example.test.target") + check_fullchain(webserver, "http.example.test") + check_issuer(webserver, "http.example.test", "pebble") + + # Perform general tests switch_to(webserver, "general") with subtest("Can request certificate with HTTP-01 challenge"): |