Merge pull request #72007 from NinjaTrappeur/nin-acme-custom-dir-uri

        '';

      };

      server = mkOption {

        type = types.nullOr types.str;

        default = null;

        description = ''

          ACME Directory Resource URI. Defaults to let's encrypt

          production endpoint,

          https://acme-v02.api.letsencrypt.org/directory, if unset.

        '';

      };

      domain = mkOption {

        type = types.str;

        default = name;

{

  ###### interface

  imports = [

    (mkRemovedOptionModule [ "security" "acme" "production" ] ''

      Use security.acme.server to define your staging ACME server URL instead.

      To use the let's encrypt staging server, use security.acme.server =

      "https://acme-staging-v02.api.letsencrypt.org/directory".

    ''

    )

  ];

  options = {

    security.acme = {

        '';

      };

      server = mkOption {

        type = types.nullOr types.str;

        default = null;

        description = ''

          ACME Directory Resource URI. Defaults to let's encrypt

          production endpoint,

          <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.

        '';

      };

      preliminarySelfsigned = mkOption {

        type = types.bool;

        default = true;

        '';

      };

      production = mkOption {

        type = types.bool;

        default = true;

        description = ''

          If set to true, use Let's Encrypt's production environment

          instead of the staging environment. The main benefit of the

          staging environment is to get much higher rate limits.

          See

          <literal>https://letsencrypt.org/docs/staging-environment</literal>

          for more detail.

        '';

      };

      certs = mkOption {

        default = { };

        type = with types; attrsOf (submodule certOpts);

                          ++ optionals (data.email != null) [ "--email" data.email ]

                          ++ concatMap (p: [ "-f" p ]) data.plugins

                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)

                          ++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"];

                          ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];

                acmeService = {

                  description = "Renew ACME Certificate for ${cert}";

                  after = [ "network.target" "network-online.target" ];

      networking.extraHosts = ''

        ${config.networking.primaryIPAddress} standalone.com

      '';

      security.acme.certs."standalone.com" = {

      security.acme = {

        server = "https://acme-v02.api.letsencrypt.org/dir";

        certs."standalone.com" = {

            webroot = "/var/lib/acme/acme-challenges";

        };

      };

      systemd.targets."acme-finished-standalone.com" = {};

      systemd.services."acme-standalone.com" = {

        wants = [ "acme-finished-standalone.com.target" ];

        '';

      };

      security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";

      nesting.clone = [

        ({pkgs, ...}: {

From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>

Date: Mon, 21 Oct 2019 10:56:13 +0200

Subject: [PATCH] Change ACME directory endpoint to /directory

---

 wfe/wfe.go | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wfe/wfe.go b/wfe/wfe.go

index e24797f..10d29fb 100644

--- a/wfe/wfe.go

+++ b/wfe/wfe.go

@@ -39,7 +39,7 @@ const (

 	// Note: We deliberately pick endpoint paths that differ from Boulder to

 	// exercise clients processing of the /directory response

 	// We export the DirectoryPath so that the pebble binary can reference it

-	DirectoryPath     = "/dir"

+	DirectoryPath     = "/directory"

 	noncePath         = "/nonce-plz"

 	newAccountPath    = "/sign-me-up"

 	acctPath          = "/my-account/"

-- 

2.23.0

  siteDomain = "letsencrypt.org";

  siteCertFile = snakeOilCerts.${siteDomain}.cert;

  siteKeyFile = snakeOilCerts.${siteDomain}.key;

  pebble = pkgs.pebble.overrideAttrs (attrs: {

    # The pebble directory endpoint is /dir when the bouder (official

    # ACME server) is /directory. Sadly, this endpoint is hardcoded,

    # we have to patch it.

    #

    # Tried to upstream, that said upstream maintainers rather keep

    # this custom endpoint to test ACME clients robustness. See

    # https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242

    patches = [ ./0001-Change-ACME-directory-endpoint-to-directory.patch ];

  });

  pebble = pkgs.pebble;

  resolver = let

    message = "You need to define a resolver for the letsencrypt test module.";

    firstNS = lib.head config.networking.nameservers;