diff options
Diffstat (limited to 'nixos/tests/acme.nix')
-rw-r--r-- | nixos/tests/acme.nix | 60 |
1 files changed, 59 insertions, 1 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index d3a436080eb..d540bc6ec31 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -41,6 +41,16 @@ inherit documentRoot; }; + simpleConfig = { + security.acme = { + certs."http.example.test" = { + listenHTTP = ":80"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + # Base specialisation config for testing general ACME features webserverBasicConfig = { services.nginx.enable = true; @@ -173,6 +183,26 @@ in { services.nginx.logError = "stderr info"; specialisation = { + # Tests HTTP-01 verification using Lego's built-in web server + http01lego.configuration = simpleConfig; + + renew.configuration = lib.mkMerge [ + simpleConfig + { + # Pebble provides 5 year long certs, + # needs to be higher than that to test renewal + security.acme.certs."http.example.test".validMinDays = 9999; + } + ]; + + # Tests that account creds can be safely changed. + accountchange.configuration = lib.mkMerge [ + simpleConfig + { + security.acme.certs."http.example.test".email = "admin@example.test"; + } + ]; + # First derivation used to test general ACME features general.configuration = { ... }: let caDomain = nodes.acme.test-support.acme.caDomain; @@ -446,7 +476,35 @@ in { download_ca_certs(client) - # Perform general tests first + # Perform http-01 w/ lego test first + with subtest("Can request certificate with Lego's built in web server"): + switch_to(webserver, "http01lego") + webserver.wait_for_unit("acme-finished-http.example.test.target") + check_fullchain(webserver, "http.example.test") + check_issuer(webserver, "http.example.test", "pebble") + + # Perform renewal test + with subtest("Can renew certificates when they expire"): + hash = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem") + switch_to(webserver, "renew") + webserver.wait_for_unit("acme-finished-http.example.test.target") + check_fullchain(webserver, "http.example.test") + check_issuer(webserver, "http.example.test", "pebble") + hash_after = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem") + assert hash != hash_after + + # Perform account change test + with subtest("Handles email change correctly"): + hash = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem") + switch_to(webserver, "accountchange") + webserver.wait_for_unit("acme-finished-http.example.test.target") + check_fullchain(webserver, "http.example.test") + check_issuer(webserver, "http.example.test", "pebble") + hash_after = webserver.succeed("sha256sum /var/lib/acme/http.example.test/cert.pem") + # Has to do a full run to register account, which creates new certs. + assert hash != hash_after + + # Perform general tests switch_to(webserver, "general") with subtest("Can request certificate with HTTP-01 challenge"): |