diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-11-27 00:03:35 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-12-26 16:44:09 +0000 |
commit | a7f00013280416ce889d841e675526b8cb96a0ee (patch) | |
tree | 25899bc2f7446223fe52dfd7128f7c64d8d3b01c /nixos/tests/acme.nix | |
parent | 87403a0b078d62245de7d619f2b71d2a0c78675a (diff) |
nixos/acme: Check for revoked certificates
Closes #129838 It is possible for the CA to revoke a cert that has not yet expired. We must run lego to validate this before expiration, but we must still ignore failures on unexpired certs to retain compatibility with #85794 Also changed domainHash logic such that a renewal will only be attempted at all if domains are unchanged, and do a full run otherwises. Resolves #147540 but will be partially reverted when go-acme/lego#1532 is resolved + available.
Diffstat (limited to 'nixos/tests/acme.nix')
-rw-r--r-- | nixos/tests/acme.nix | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 72b7bb8a396a3..80b85502d4e8c 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -113,11 +113,19 @@ in import ./make-test-python.nix ({ lib, ... }: { # Now adding an alias to ensure that the certs are updated specialisation.nginx-aliases.configuration = { pkgs, ... }: { - services.nginx.virtualHosts."a.example.test" = { + services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // { serverAliases = [ "b.example.test" ]; }; }; + # Must be run after nginx-aliases + specialisation.remove-extra-domain.configuration = { pkgs, ... } : { + # This also validates that useACMEHost doesn't unexpectedly add the domain. + services.nginx.virtualHosts."b.example.test" = (vhostBase pkgs) // { + useACMEHost = "a.example.test"; + }; + }; + # Test OCSP Stapling specialisation.ocsp-stapling.configuration = { pkgs, ... }: { security.acme.certs."a.example.test" = { @@ -408,6 +416,18 @@ in import ./make-test-python.nix ({ lib, ... }: { check_connection(client, "a.example.test") check_connection(client, "b.example.test") + with subtest("Can remove extra domains from a cert"): + switch_to(webserver, "remove-extra-domain") + webserver.wait_for_unit("acme-finished-a.example.test.target") + webserver.wait_for_unit("nginx.service") + check_connection(client, "a.example.test") + rc, _ = client.execute( + "openssl s_client -CAfile /tmp/ca.crt -connect b.example.test:443" + " </dev/null 2>/dev/null | openssl x509 -noout -text" + " | grep DNS: | grep b.example.test" + ) + assert rc > 0, "Removed extraDomainName was not removed from the cert" + with subtest("Can request certificates for vhost + aliases (apache-httpd)"): try: switch_to(webserver, "httpd-aliases") |