diff options
| author | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2019-10-18 19:13:04 +0200 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2019-10-23 21:17:17 +0200 |
| commit | 0c0af28cd59766f961efefea8ad4d14343a82821 (patch) | |
| tree | 22ab3abf6af46a1ab7931e7752d1ad639f3afa88 /nixos/tests/acme.nix | |
| parent | 38e84151e04f4b31dd729abb28db4159045bfd41 (diff) | |
| download | nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.tar nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.tar.gz nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.tar.bz2 nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.tar.lz nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.tar.xz nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.tar.zst nixpkgs-0c0af28cd59766f961efefea8ad4d14343a82821.zip | |
nixos/tests/letsencrypt: use Pebble instead of Boulder
Let's encrypt bumped ACME to V2. We need to update our nixos test to be compatible with this new protocol version. We decided to drop the Boulder ACME server in favor of the more integration test friendly Pebble. - overriding cacert not necessary - this avoids rebuilding lots of packages needlessly - nixos/tests/acme: use pebble's ca for client tests - pebble always generates its own ca which has to be fetched TODO: write proper commit msg :)
Diffstat (limited to 'nixos/tests/acme.nix')
| -rw-r--r-- | nixos/tests/acme.nix | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 8cfdea4a16e..85d32d10944 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -80,7 +80,7 @@ in import ./make-test.nix { client = commonConfig; }; - testScript = {nodes, ...}: + testScript = {nodes, ...}: let newServerSystem = nodes.webserver2.config.system.build.toplevel; switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test"; @@ -91,9 +91,12 @@ in import ./make-test.nix { # get pulled in by the oneshot units. The target units linger after activation, and hence we # can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do '' - $client->waitForUnit("default.target"); + $client->start; + $letsencrypt->start; + $acmeStandalone->start; + $letsencrypt->waitForUnit("default.target"); - $letsencrypt->waitForUnit("boulder.service"); + $letsencrypt->waitForUnit("pebble.service"); subtest "can request certificate with HTTPS-01 challenge", sub { $acmeStandalone->waitForUnit("default.target"); @@ -101,15 +104,20 @@ in import ./make-test.nix { $acmeStandalone->waitForUnit("acme-finished-standalone.com.target"); }; + $client->waitForUnit("default.target"); + + $client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt'); + $client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt'); + subtest "Can request certificate for nginx service", sub { $webserver->waitForUnit("acme-finished-a.example.com.target"); - $client->succeed('curl https://a.example.com/ | grep -qF "hello world"'); + $client->succeed('curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF "hello world"'); }; subtest "Can add another certificate for nginx service", sub { $webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test"); $webserver->waitForUnit("acme-finished-b.example.com.target"); - $client->succeed('curl https://b.example.com/ | grep -qF "hello world"'); + $client->succeed('curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF "hello world"'); }; ''; } |