Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acme: create certificates in subdirectory #84781

Merged
merged 1 commit into from
Apr 9, 2020
Merged

acme: create certificates in subdirectory #84781

merged 1 commit into from
Apr 9, 2020

Conversation

Mic92
Copy link
Member

@Mic92 Mic92 commented Apr 9, 2020

This allows to have multiple certificates with the same common name.
Lego uses in its internal directory the common name to name the certificate.

fixes #84409

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Mic92
acme: create certificates in subdirectory
d7ff6ab 
This allows to have multiple certificates with the same common name.
Lego uses in its internal directory the common name to name the certificate.

fixes NixOS#84409
@Mic92 Mic92 requested a review from flokli April 9, 2020 07:28
@Mic92
Copy link
Member Author

Mic92 commented Apr 9, 2020

cc @immae

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/go-no-go-meeting-nixos-20-03-markhor/6495/20

@Mic92
Copy link
Member Author

Mic92 commented Apr 9, 2020

Unstable and 20.03 tester will suffer from this one, because their ssl keys/certificates are recreated but I want to avoid adding migration logic for those cases to keep complexity low.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 9, 2020
@Mic92
Copy link
Member Author

Mic92 commented Apr 9, 2020
edited
Loading

I suppose one could symlink /var/lib/acme/.lego/accounts/ to /var/lib/acme/.lego//accounts/ ? Than only one account is created.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Apr 9, 2020
@immae
Copy link
Contributor

immae commented Apr 9, 2020
edited
Loading

Thanks for the job @Mic92

About the suffering, I simply did something like that in startPre (please test it for typos, since I rewrite it from memory, I didn’t keep the hack after applying it):

if [ -d /var/lib/acme/.lego/accounts -a ! -d /var/lib/acme/.lego/${cert}/accounts ]; then
  cp -a /var/lib/acme/.lego/accounts /var/lib/acme/.lego/${cert}/accounts
fi
if [ -d /var/lib/acme/.lego/certificates -a ! -d /var/lib/acme/.lego/${cert}/certificates ]; then
  mkdir -p /var/lib/acme/.lego/${cert}/certificates
  cp -a /var/lib/acme/.lego/certificates/${data.domain}.* /var/lib/acme/.lego/${cert}/certificates/
fi
chown -R ${data.user}:${data.group} /var/lib/acme/.lego/${cert}/

Also note that, since we have to separate the directories anyway, I decided to use /var/lib/acme/${cert}/.lego rather than /var/lib/acme/.lego/${cert} to keep everything related to a certificate in a single directory. You might want to change your code considering that...

EDIT: I missed part of your message that you didn’t want migration logic. The second paragraph still stands though

@flokli
Copy link
Contributor

flokli commented Apr 9, 2020

I agree with @Mic92 on not introducing migration code to handle migrations from the current lego folders to the new locations after this PR, especially as it's just a matter of re-requesting certificates.

I don't have a super strong opinion on /var/lib/acme/.lego/${cert}/ vs. /var/lib/acme/${cert}/.lego/ - both have its advantages and disadvantages.

I think the structure propose here is a bit better, considering there might very well be another LE client in the future that does support multiple certificates with the same common name properly.

@immae
Copy link
Contributor

immae commented Apr 9, 2020

I agree with @Mic92 on not introducing migration code to handle migrations from the current lego folders to the new locations after this PR, especially as it's just a matter of re-requesting certificates.

Well, rate limiting is an important thing with acme certificates (you can say "you’re using an unstable channel, it’s your problem", and you’d be totally right - that’s why I’m not pushing for a migration code - but it’s still an issue to some people :) )

@flokli
Copy link
Contributor

flokli commented Apr 9, 2020

Yeah. I expect people tracking unstable to be able to workaround these issues, and potentially apply a workaround as proposed above during the migration.

@Mic92
Copy link
Member Author

Mic92 commented Apr 9, 2020

One can add the following snippet to their configuration.nix to add the migration code:

  systemd.services = lib.mapAttrs' (cert: data:  {
    name = "acme-${cert}";
    value = {
      preStart = ''
        if [ -d /var/lib/acme/.lego/accounts -a -! -d /var/lib/acme/.lego/${cert}/accounts ]; then
          cp -a /var/lib/acme/.lego/accounts /var/lib/acme/.lego/${cert}/accounts
        fi
        if [ -d /var/lib/acme/.lego/certificates -a -! -d /var/lib/acme/.lego/${cert}/certificates ]; then
          mkdir -p /var/lib/acme/.lego/${cert}/certificates
          cp -a /var/lib/acme/.lego/certificates/${data.domain}.* /var/lib/acme/.lego/${cert}/certificates/
        fi
        chown -R ${data.user}:${data.group} /var/lib/acme/.lego/${cert}/
      '';
    };
  }) config.security.acme.certs;

I might announce that in a discourse post.

@Mic92 Mic92 merged commit 6cbc9c8 into NixOS:master Apr 9, 2020
@Mic92 Mic92 deleted the acme branch April 9, 2020 09:59
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-acme-action-required-on-unstable-or-20-03-pre-release/6629/1

@Mic92
Copy link
Member Author

Mic92 commented Apr 9, 2020

20.03 backport: 377b024

This was referenced Apr 13, 2020
Closed
Merged
@emilazy emilazy mentioned this pull request Apr 16, 2020
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli Awaiting requested review from flokli

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Change of acme certificate from simp_le to lego breaks workflow
4 participants
@Mic92 @nixos-discourse @immae @flokli