diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2022-09-18 21:27:11 +0100 |
---|---|---|
committer | Winter <winter@winter.cafe> | 2022-10-06 10:30:24 -0400 |
commit | 39796cad46f1d0b0a14e84a680ababf5ab1ff86d (patch) | |
tree | bce414c8416529972401d5611d707f921b47f435 /nixos/tests/acme.nix | |
parent | 22d41f921fa82c891cc2522ffb90a303ecc8a115 (diff) |
nixos/acme: Fix cert renewal with built in webserver
Fixes #191794 Lego threw a permission denied error binding to port 80. AmbientCapabilities with CAP_NET_BIND_SERVICE was required. Also added a test for this.
Diffstat (limited to 'nixos/tests/acme.nix')
-rw-r--r-- | nixos/tests/acme.nix | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index d3a436080ebff..a31cb12477a0b 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -173,6 +173,17 @@ in { services.nginx.logError = "stderr info"; specialisation = { + # Tests HTTP-01 verification using Lego's built-in web server + http01lego.configuration = { ... }: { + security.acme = { + certs."http.example.test" = { + listenHTTP = ":80"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + # First derivation used to test general ACME features general.configuration = { ... }: let caDomain = nodes.acme.test-support.acme.caDomain; @@ -446,7 +457,15 @@ in { download_ca_certs(client) - # Perform general tests first + # Perform http-01 w/ lego test first + switch_to(webserver, "http01lego") + + with subtest("Can request certificate with Lego's built in web server"): + webserver.wait_for_unit("acme-finished-http.example.test.target") + check_fullchain(webserver, "http.example.test") + check_issuer(webserver, "http.example.test", "pebble") + + # Perform general tests switch_to(webserver, "general") with subtest("Can request certificate with HTTP-01 challenge"): |