nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix
Félix Baylac-Jacqué 0c0af28cd5 nixos/tests/letsencrypt: use Pebble instead of Boulder
Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.

We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.

- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched

TODO: write proper commit msg :)
2019-10-23 21:17:17 +02:00

70 lines
1.9 KiB
Nix

{ pkgs ? import <nixpkgs> {}
, lib ? pkgs.lib
, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ]
}:
pkgs.runCommand "letsencrypt-snakeoil-ca" {
nativeBuildInputs = [ pkgs.openssl ];
} ''
addpem() {
local file="$1"; shift
local storeFileName="$(IFS=.; echo "$*")"
echo -n " " >> "$out"
# Every following argument is an attribute, so let's recurse and check
# every attribute whether it must be quoted and write it into $out.
while [ -n "$1" ]; do
if expr match "$1" '^[a-zA-Z][a-zA-Z0-9]*$' > /dev/null; then
echo -n "$1" >> "$out"
else
echo -n '"' >> "$out"
echo -n "$1" | sed -e 's/["$]/\\&/g' >> "$out"
echo -n '"' >> "$out"
fi
shift
[ -z "$1" ] || echo -n . >> "$out"
done
echo " = builtins.toFile \"$storeFileName\" '''" >> "$out"
sed -e 's/^/ /' "$file" >> "$out"
echo " ''';" >> "$out"
}
echo '# Generated via mkcert.sh in the same directory.' > "$out"
echo '{' >> "$out"
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
-subj '/CN=Snakeoil CA' -nodes -out ca.pem -keyout ca.key
addpem ca.key ca key
addpem ca.pem ca cert
${lib.concatMapStrings (fqdn: let
opensslConfig = pkgs.writeText "snakeoil.cnf" ''
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
CN = ${fqdn}
[req_ext]
subjectAltName = DNS:${fqdn}
'';
in ''
export OPENSSL_CONF=${lib.escapeShellArg opensslConfig}
openssl genrsa -out snakeoil.key 4096
openssl req -new -key snakeoil.key -out snakeoil.csr
openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \
-CA ca.pem -CAkey ca.key -out snakeoil.pem -days 36500
addpem snakeoil.key ${lib.escapeShellArg fqdn} key
addpem snakeoil.pem ${lib.escapeShellArg fqdn} cert
'') domains}
echo '}' >> "$out"
''