0c0af28cd5
Let's encrypt bumped ACME to V2. We need to update our nixos test to be compatible with this new protocol version. We decided to drop the Boulder ACME server in favor of the more integration test friendly Pebble. - overriding cacert not necessary - this avoids rebuilding lots of packages needlessly - nixos/tests/acme: use pebble's ca for client tests - pebble always generates its own ca which has to be fetched TODO: write proper commit msg :)
70 lines
1.9 KiB
Nix
70 lines
1.9 KiB
Nix
{ pkgs ? import <nixpkgs> {}
|
|
, lib ? pkgs.lib
|
|
|
|
, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ]
|
|
}:
|
|
|
|
pkgs.runCommand "letsencrypt-snakeoil-ca" {
|
|
nativeBuildInputs = [ pkgs.openssl ];
|
|
} ''
|
|
addpem() {
|
|
local file="$1"; shift
|
|
local storeFileName="$(IFS=.; echo "$*")"
|
|
|
|
echo -n " " >> "$out"
|
|
|
|
# Every following argument is an attribute, so let's recurse and check
|
|
# every attribute whether it must be quoted and write it into $out.
|
|
while [ -n "$1" ]; do
|
|
if expr match "$1" '^[a-zA-Z][a-zA-Z0-9]*$' > /dev/null; then
|
|
echo -n "$1" >> "$out"
|
|
else
|
|
echo -n '"' >> "$out"
|
|
echo -n "$1" | sed -e 's/["$]/\\&/g' >> "$out"
|
|
echo -n '"' >> "$out"
|
|
fi
|
|
shift
|
|
[ -z "$1" ] || echo -n . >> "$out"
|
|
done
|
|
|
|
echo " = builtins.toFile \"$storeFileName\" '''" >> "$out"
|
|
sed -e 's/^/ /' "$file" >> "$out"
|
|
|
|
echo " ''';" >> "$out"
|
|
}
|
|
|
|
echo '# Generated via mkcert.sh in the same directory.' > "$out"
|
|
echo '{' >> "$out"
|
|
|
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
|
|
-subj '/CN=Snakeoil CA' -nodes -out ca.pem -keyout ca.key
|
|
|
|
addpem ca.key ca key
|
|
addpem ca.pem ca cert
|
|
|
|
${lib.concatMapStrings (fqdn: let
|
|
opensslConfig = pkgs.writeText "snakeoil.cnf" ''
|
|
[req]
|
|
default_bits = 4096
|
|
prompt = no
|
|
default_md = sha256
|
|
req_extensions = req_ext
|
|
distinguished_name = dn
|
|
[dn]
|
|
CN = ${fqdn}
|
|
[req_ext]
|
|
subjectAltName = DNS:${fqdn}
|
|
'';
|
|
in ''
|
|
export OPENSSL_CONF=${lib.escapeShellArg opensslConfig}
|
|
openssl genrsa -out snakeoil.key 4096
|
|
openssl req -new -key snakeoil.key -out snakeoil.csr
|
|
openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \
|
|
-CA ca.pem -CAkey ca.key -out snakeoil.pem -days 36500
|
|
addpem snakeoil.key ${lib.escapeShellArg fqdn} key
|
|
addpem snakeoil.pem ${lib.escapeShellArg fqdn} cert
|
|
'') domains}
|
|
|
|
echo '}' >> "$out"
|
|
''
|