acme nixos test failure in apache httpd test cases

[roberth]

Describe the bug

The subtests for apache httpd in nixosTests.acme fail:

i1dqvjb1zxy03kpv29b12bx4c4ay6yph-vm-test-run-acme.drv.log:

Removing these subtests makes the test pass:

nixpkgs/nixos/tests/acme.nix

Lines 377 to 392 in e723754

	with subtest("Can request certificates for vhost + aliases (apache-httpd)"):
	switch_to(webserver, "httpd-aliases")
	webserver.wait_for_unit("acme-finished-c.example.test.target")
	check_issuer(webserver, "c.example.test", "pebble")
	check_connection(client, "c.example.test")
	check_connection(client, "d.example.test")
	with subtest("Can reload httpd when timer triggers renewal"):
	# Switch to selfsigned first
	webserver.succeed("systemctl clean acme-c.example.test.service --what=state")
	webserver.succeed("systemctl start acme-selfsigned-c.example.test.service")
	check_issuer(webserver, "c.example.test", "minica")
	webserver.succeed("systemctl start httpd-config-reload.service")
	webserver.succeed("systemctl start test-renew-httpd.target")
	check_issuer(webserver, "c.example.test", "pebble")
	check_connection(client, "c.example.test")

To Reproduce
Steps to reproduce the behavior:

1. nix-build -A nixosTests.acme

Expected behavior

Test success.

Screenshots

Additional context

Notify maintainers

@NixOS/acme

Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
 - nixosTests.acme
# a list of nixos modules affected by the problem
module:

[m1cr0man]

The cause is that the permissions on the configured webroot directory are wrong when switching from Nginx to httpd. Taking from a debug ls statement:

webserver # [  120.912565] acme-c.example.test-start[3221]: + ls -al /var/lib/acme/acme-challenge
webserver # [  120.925103] acme-c.example.test-start[3419]: total 12
webserver # [  120.926430] acme-c.example.test-start[3419]: drwxr-xr-- 3 acme     60 4096 Mar 14 23:17 .
webserver # [  120.928571] acme-c.example.test-start[3419]: drwxr-xr-x 9 acme acme   4096 Mar 14 23:18 ..
webserver # [  120.932055] acme-c.example.test-start[3419]: drwxr-xr-- 3 acme wwwrun 4096 Mar 14 23:17 .well-known

This subsequently causes 403 errors in httpd with the following error in the log:

[Sun Mar 14 23:19:17.849429 2021] [core:error] [pid 3224:tid 139926267979328] (13)Permission denied: [client 192.168.1.1:54946] AH00035: access to /.well-known/acme-challenge/DzI67iQ2o0vWgybU2LAruOhJicG-Qksa19FXbIregZM denied (filesystem path '/var/lib/acme/acme-challenge/.well-known') because search permissions are missing on a component of the path

There are 3 solutions, sorted by my own preference to implement:

• Change the UMask to 0022 (currently 0023) so that any group can read the folder.
• Fix the permissions in the acme module when renewals are run.
• Fix the permissions in the test suite.

Keeping this previous discussion in mind, I feel that changing the UMask would be the best option that would "Just work" without affecting the potentially sensitive group permissions on the webroot. Also - it's a web directory which will effectively be readable by anyone (AKA anyone that visits the page) anyway. I'm not in favour of the last option as I feel fixing it for all users is important, and I would rather have this thread + take the flak for somewhat open permissions than break people's setups entirely.

[roberth]

• Change the UMask to 0022 (currently 0023) so that any group can read the folder.

That seems to align with the purpose of the challenge directory. If you change the umask, make sure it doesn't affect other files and directories.

[m1cr0man]

I've added some tests for the resulting file's permissions. Also I would like to highlight the work @aneeshusa did a while back in this PR & comment to determine where/what permissions lego applies to files.

0023 was a bit stingy on my part from the beginning. It should've stayed as 0022 all along ;P