diff options
author | aszlig <aszlig@redmoonstudios.org> | 2017-07-16 18:57:38 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2017-07-16 20:38:15 +0200 |
commit | b6188438607bbb817d17db31b061870379a8faf6 (patch) | |
tree | 431951225bacad7092fa8ef5165e75756c57ab65 | |
parent | 5d29744f4dc2c8d62fc5a99f896aa96ea440874d (diff) | |
download | nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.tar nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.tar.gz nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.tar.bz2 nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.tar.lz nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.tar.xz nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.tar.zst nixpkgs-b6188438607bbb817d17db31b061870379a8faf6.zip |
nixos/taskserver: Fix manual PKI management
The helper tool had a very early check whether the automatically created CA key/cert are available and thus it would abort if the key was unavailable even though we don't need or even want to have the CA key. Unfortunately our NixOS test didn't catch this, because it was just switching from a configuration with an automatically created CA to a manual configuration without deleting the generated keys and certs. This is done now in the tests and it's also fixed in the helper tool. Reported-by: @jpotier Signed-off-by: aszlig <aszlig@redmoonstudios.org>
-rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 2 | ||||
-rw-r--r-- | nixos/tests/taskserver.nix | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index b97bc1df74f..22a3d8d5311 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -448,6 +448,8 @@ def cli(ctx): """ Manage Taskserver users and certificates """ + if not IS_AUTO_CONFIG: + return for path in (CA_KEY, CA_CERT, CRL_FILE): if not os.path.exists(path): msg = "CA setup not done or incomplete, missing file {}." diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix index cdccb11d888..75be97a507d 100644 --- a/nixos/tests/taskserver.nix +++ b/nixos/tests/taskserver.nix @@ -246,6 +246,10 @@ in { }; subtest "check manual configuration", sub { + # Remove the keys from automatic CA creation, to make sure the new + # generation doesn't use keys from before. + $server->succeed('rm -rf ${cfg.dataDir}/keys/* >&2'); + $server->succeed('${switchToNewServer} >&2'); $server->waitForUnit("taskserver.service"); $server->waitForOpenPort(${portStr}); |