diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-11-26 21:57:31 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-12-26 16:44:08 +0000 |
commit | 87403a0b078d62245de7d619f2b71d2a0c78675a (patch) | |
tree | e9e5641529609f26b0ffac44b951541c70bec9bc | |
parent | a88d846b91dc3c75b825187998debd8e08c7794b (diff) | |
download | nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.tar nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.tar.gz nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.tar.bz2 nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.tar.lz nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.tar.xz nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.tar.zst nixpkgs-87403a0b078d62245de7d619f2b71d2a0c78675a.zip |
nixos/acme: Add a human readable error on run failure
Closes NixOS/nixpkgs#108237 When a user first adds an ACME cert to their configuration, it's likely to fail to renew due to DNS misconfig. This is non-fatal for other services since selfsigned certs are (usually) put in place to let dependant services start. Tell the user about this in the logs, and exit 2 for differentiation purposes.
-rw-r--r-- | nixos/modules/security/acme.nix | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index dcea137b52e..be4762da8d1 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -391,8 +391,13 @@ let fi # Otherwise do a full run - else - lego ${runOpts} + elif ! lego ${runOpts}; then + # Produce a nice error for those doing their first nixos-rebuild with these certs + echo Failed to fetch certificates. \ + This may mean your DNS records are set up incorrectly. \ + ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."} + # Exit 2 so that users can potentially amend SuccessExitStatus to ignore this error. + exit 2 fi mv domainhash.txt certificates/ |