diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-03-15 01:33:45 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-03-15 01:41:40 +0000 |
commit | 920a3f5a9d0d603b2435bac2c58d76ab784fcddd (patch) | |
tree | d261bc629afe6b552a2d69cb1616aaff62dd77f2 /nixos/tests/acme.nix | |
parent | 63a9f162355ec84c423690869a97848d73409fb8 (diff) | |
download | nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.gz nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.bz2 nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.lz nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.xz nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.zst nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.zip |
nixos/acme: Fix webroot issues
With the UMask set to 0023, the mkdir -p command which creates the webroot could end up unreadable if the web server changes, as surfaced by the test suite in #114751 On top of this, the following commands to chown the webroot + subdirectories was mostly unnecessary. I stripped it back to only fix the deepest part of the directory, resolving #115976, and reintroduced a human readable error message.
Diffstat (limited to 'nixos/tests/acme.nix')
-rw-r--r-- | nixos/tests/acme.nix | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index c6d393d9196..ef5021bf1a0 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -253,7 +253,7 @@ in import ./make-test-python.nix ({ lib, ... }: { def check_connection(node, domain, retries=3): - assert retries >= 0 + assert retries >= 0, f"Failed to connect to https://{domain}" result = node.succeed( "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt" @@ -262,12 +262,12 @@ in import ./make-test-python.nix ({ lib, ... }: { for line in result.lower().split("\n"): if "verification" in line and "error" in line: - time.sleep(1) + time.sleep(3) return check_connection(node, domain, retries - 1) def check_connection_key_bits(node, domain, bits, retries=3): - assert retries >= 0 + assert retries >= 0, f"Did not find expected number of bits ({bits}) in key" result = node.succeed( "openssl s_client -CAfile /tmp/ca.crt" @@ -277,12 +277,12 @@ in import ./make-test-python.nix ({ lib, ... }: { print("Key type:", result) if bits not in result: - time.sleep(1) + time.sleep(3) return check_connection_key_bits(node, domain, bits, retries - 1) def check_stapling(node, domain, retries=3): - assert retries >= 0 + assert retries >= 0, "OCSP Stapling check failed" # Pebble doesn't provide a full OCSP responder, so just check the URL result = node.succeed( @@ -293,10 +293,23 @@ in import ./make-test-python.nix ({ lib, ... }: { print("OCSP Responder URL:", result) if "${caDomain}:4002" not in result.lower(): - time.sleep(1) + time.sleep(3) return check_stapling(node, domain, retries - 1) + def download_ca_certs(node, retries=5): + assert retries >= 0, "Failed to connect to pebble to download root CA certs" + + exit_code, _ = node.execute("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt") + exit_code_2, _ = node.execute( + "curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt" + ) + + if exit_code + exit_code_2 > 0: + time.sleep(3) + return download_ca_certs(node, retries - 1) + + client.start() dnsserver.start() @@ -313,8 +326,7 @@ in import ./make-test-python.nix ({ lib, ... }: { acme.wait_for_unit("network-online.target") acme.wait_for_unit("pebble.service") - client.succeed("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt") - client.succeed("curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt") + download_ca_certs(client) with subtest("Can request certificate with HTTPS-01 challenge"): webserver.wait_for_unit("acme-finished-a.example.test.target") @@ -375,8 +387,15 @@ in import ./make-test-python.nix ({ lib, ... }: { assert keyhash_old == keyhash_new with subtest("Can request certificates for vhost + aliases (apache-httpd)"): - switch_to(webserver, "httpd-aliases") - webserver.wait_for_unit("acme-finished-c.example.test.target") + try: + switch_to(webserver, "httpd-aliases") + webserver.wait_for_unit("acme-finished-c.example.test.target") + except Exception as err: + _, output = webserver.execute( + "cat /var/log/httpd/*.log && ls -al /var/lib/acme/acme-challenge" + ) + print(output) + raise err check_issuer(webserver, "c.example.test", "pebble") check_connection(client, "c.example.test") check_connection(client, "d.example.test") |