377c6bcefc
Allows configuring many default settings for certificates, all of which can still be overridden on a per-cert basis. Some options have been moved into .defaults from security.acme, namely email, server, validMinDays and renewInterval. These changes will not break existing configurations thanks to mkChangedOptionModule. With this, it is also now possible to configure DNS-01 with web servers whose virtualHosts utilise enableACME. The only requirement is you set `acmeRoot = null` for each vhost. The test suite has been revamped to cover these additions and also to generally make it easier to maintain. Test config for apache and nginx has been fully standardised, and it is now much easier to add a new web server if it follows the same configuration patterns as those two. I have also optimised the use of switch-to-configuration which should speed up testing. |
||
|---|---|---|
| .. | ||
| acme.test.cert.pem | ||
| acme.test.key.pem | ||
| ca.cert.pem | ||
| ca.key.pem | ||
| default.nix | ||
| generate-certs.nix | ||
| README.md | ||
| snakeoil-certs.nix | ||
Fake Certificate Authority for ACME testing
This will set up a test node running pebble to serve ACME certificate requests.
"Snake oil" certs
The snake oil certs are hard coded into the repo for reasons explained here. The root of the issue is that Nix will hash the derivation based on the arguments to mkDerivation, not the output. Minica will always generate a random certificate even if the arguments are unchanged. As a result, it's possible to end up in a situation where the cached and local generated certs mismatch and cause issues with testing.
To generate new certificates, run the following commands:
nix-build generate-certs.nix
cp result/* .
rm result