Unverified Commit fb382c26 authored by Franz Pletz's avatar Franz Pletz Committed by GitHub
Browse files

Merge pull request #310452 from fpletz/nginx-acme-servername 

nixos/nginx: fix reference to acme cert hostname
parents e7b8b9c1 b7d060d1

nixos/modules/services/web-servers/nginx/default.nix

+1 −1
Original line number Diff line number Diff line
@@ -352,7 +352,7 @@ let 


        # The acme-challenge location doesn't need to be added if we are not using any automated

        # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge

        acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName;

        acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName;

        acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null)

          # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)

          # We use ^~ here, so that we don't check any regexes (which could

nixos/tests/acme.nix

+20 −12
Original line number Diff line number Diff line
@@ -99,7 +99,14 @@ 
              serverAliases = [ "${server}-wildcard-alias.example.test" ];

              useACMEHost = "example.test";

            };

          } // (lib.optionalAttrs (server == "nginx") {

            # The nginx module supports using a different key than the hostname

            different-key = vhostBaseData // {

              serverName = "${server}-different-key.example.test";

              serverAliases = [ "${server}-different-key-alias.example.test" ];

              enableACME = true;

            };

          });

        };



        # Used to determine if service reload was triggered
@@ -653,17 +660,17 @@ in { 
          webserver.succeed("systemctl restart caddy.service")

          check_connection_key_bits(client, "a.example.test", "384")



      domains = ["http", "dns", "wildcard"]

      for server, logsrc in [

          ("nginx", "journalctl -n 30 -u nginx.service"),

          ("httpd", "tail -n 30 /var/log/httpd/*.log"),

      common_domains = ["http", "dns", "wildcard"]

      for server, logsrc, domains in [

          ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]),

          ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains),

      ]:

          wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")

          with subtest(f"Works with {server}"):

              try:

                  switch_to(webserver, server)

                  # Skip wildcard domain for this check ([:-1])

                  for domain in domains[:-1]:

                  for domain in domains:

                      if domain != "wildcard":

                          webserver.wait_for_unit(

                              f"acme-finished-{server}-{domain}.example.test.target"

                          )
@@ -676,7 +683,8 @@ in { 


              wait_for_server()



              for domain in domains[:-1]:

              for domain in domains:

                  if domain != "wildcard":

                      check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")

              for domain in domains:

                  check_connection(client, f"{server}-{domain}.example.test")