nixos/acme: Make account creds check more robust

Fixes #190493 Check if an actual key file exists. This does not completely cover the work accountHash does to ensure that a new account is registered when account related options are changed.
author: Lucas Savva <lucas@m1cr0man.com> 2022-09-19 01:07:29 +0100
committer: Winter <winter@winter.cafe> 2022-10-06 10:30:24 -0400
commit: 657ecbca0ece81c5e2a411d7044a3d837f520408 (patch)
tree: c9fb808af8caff284c5f686917af5a859b5f12c8 /nixos/modules/security
parent: 39796cad46f1d0b0a14e84a680ababf5ab1ff86d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index 45e4dab087ec6..91ec24ab1f58d 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -377,7 +377,8 @@ let
 
         # Check if we can renew.
         # We can only renew if the list of domains has not changed.
-        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
+        # We also need an account key. Avoids #190493
+        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(find accounts -name '${data.email}.key')" ]; then
 
           # Even if a cert is not expired, it may be revoked by the CA.
           # Try to renew, and silently fail if the cert is not expired.
author	Lucas Savva <lucas@m1cr0man.com>	2022-09-19 01:07:29 +0100
committer	Winter <winter@winter.cafe>	2022-10-06 10:30:24 -0400
commit	657ecbca0ece81c5e2a411d7044a3d837f520408 (patch)
tree	c9fb808af8caff284c5f686917af5a859b5f12c8 /nixos/modules/security
parent	39796cad46f1d0b0a14e84a680ababf5ab1ff86d (diff)