nixos/tests/acme: use *.test domains

Shimming out the Let's Encrypt domain name to reuse client configuration doesn't work properly (Pebble uses different endpoint URL formats), is recommended against by upstream,[1] and is unnecessary now that the ACME module supports specifying an ACME server. This commit changes the tests to use the domain name acme.test instead, and renames the letsencrypt node to acme to reflect that it has nothing to do with the ACME server that Let's Encrypt runs. The imports are renamed for clarity: * nixos/tests/common/{letsencrypt => acme}/{common.nix => client} * nixos/tests/common/{letsencrypt => acme}/{default.nix => server} The test's other domain names are also adjusted to use *.test for consistency (and to avoid misuse of non-reserved domain names such as standalone.com). [1] letsencrypt/pebble#283 (comment) Co-authored-by: Yegor Timoshenko <yegortimoshenko@riseup.net> (cherry picked from commit d0f04c1)
stigok · Jun 12, 2020 · 56453a1 · 56453a1
1 parent 71d3513
commit 56453a1
Show file tree

Hide file tree

Showing 9 changed files with 254 additions and 336 deletions.
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
@@ -1,5 +1,5 @@
 let
-  commonConfig = ./common/letsencrypt/common.nix;
+  commonConfig = ./common/acme/client;
 
   dnsScript = {writeScript, dnsAddress, bash, curl}: writeScript "dns-hook.sh" ''
     #!${bash}/bin/bash
@@ -16,8 +16,8 @@ in import ./make-test-python.nix {
   name = "acme";
 
   nodes = rec {
-    letsencrypt = { nodes, lib, ... }: {
-      imports = [ ./common/letsencrypt ];
+    acme = { nodes, lib, ... }: {
+      imports = [ ./common/acme/server ];
       networking.nameservers = lib.mkForce [
         nodes.dnsserver.config.networking.primaryIPAddress
       ];
@@ -45,19 +45,16 @@ in import ./make-test-python.nix {
         nodes.dnsserver.config.networking.primaryIPAddress
       ];
       networking.firewall.allowedTCPPorts = [ 80 ];
-      security.acme = {
-        server = "https://acme-v02.api.letsencrypt.org/dir";
-        certs."standalone.com" = {
-            webroot = "/var/lib/acme/acme-challenges";
-        };
+      security.acme.certs."standalone.test" = {
+        webroot = "/var/lib/acme/acme-challenges";
       };
-      systemd.targets."acme-finished-standalone.com" = {};
-      systemd.services."acme-standalone.com" = {
-        wants = [ "acme-finished-standalone.com.target" ];
-        before = [ "acme-finished-standalone.com.target" ];
+      systemd.targets."acme-finished-standalone.test" = {};
+      systemd.services."acme-standalone.test" = {
+        wants = [ "acme-finished-standalone.test.target" ];
+        before = [ "acme-finished-standalone.test.target" ];
       };
       services.nginx.enable = true;
-      services.nginx.virtualHosts."standalone.com" = {
+      services.nginx.virtualHosts."standalone.test" = {
         locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenges";
       };
     };
@@ -71,16 +68,16 @@ in import ./make-test-python.nix {
 
       # A target remains active. Use this to probe the fact that
       # a service fired eventhough it is not RemainAfterExit
-      systemd.targets."acme-finished-a.example.com" = {};
-      systemd.services."acme-a.example.com" = {
-        wants = [ "acme-finished-a.example.com.target" ];
-        before = [ "acme-finished-a.example.com.target" ];
+      systemd.targets."acme-finished-a.example.test" = {};
+      systemd.services."acme-a.example.test" = {
+        wants = [ "acme-finished-a.example.test.target" ];
+        before = [ "acme-finished-a.example.test.target" ];
         after = [ "nginx.service" ];
       };
 
       services.nginx.enable = true;
 
-      services.nginx.virtualHosts."a.example.com" = {
+      services.nginx.virtualHosts."a.example.test" = {
         enableACME = true;
         forceSSL = true;
         locations."/".root = pkgs.runCommand "docroot" {} ''
@@ -89,17 +86,17 @@ in import ./make-test-python.nix {
         '';
       };
 
-      security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";
+      security.acme.server = "https://acme.test/dir";
 
       nesting.clone = [
         ({pkgs, ...}: {
-          systemd.targets."acme-finished-b.example.com" = {};
-          systemd.services."acme-b.example.com" = {
-            wants = [ "acme-finished-b.example.com.target" ];
-            before = [ "acme-finished-b.example.com.target" ];
+          systemd.targets."acme-finished-b.example.test" = {};
+          systemd.services."acme-b.example.test" = {
+            wants = [ "acme-finished-b.example.test.target" ];
+            before = [ "acme-finished-b.example.test.target" ];
             after = [ "nginx.service" ];
           };
-          services.nginx.virtualHosts."b.example.com" = {
+          services.nginx.virtualHosts."b.example.test" = {
             enableACME = true;
             forceSSL = true;
             locations."/".root = pkgs.runCommand "docroot" {} ''
@@ -109,8 +106,8 @@ in import ./make-test-python.nix {
           };
         })
         ({pkgs, config, nodes, lib, ...}: {
-          security.acme.certs."example.com" = {
-            domain = "*.example.com";
+          security.acme.certs."example.test" = {
+            domain = "*.example.test";
             dnsProvider = "exec";
             dnsPropagationCheck = false;
             credentialsFile = with pkgs; writeText "wildcard.env" ''
@@ -119,17 +116,17 @@ in import ./make-test-python.nix {
             user = config.services.nginx.user;
             group = config.services.nginx.group;
           };
-          systemd.targets."acme-finished-example.com" = {};
-          systemd.services."acme-example.com" = {
-            wants = [ "acme-finished-example.com.target" ];
-            before = [ "acme-finished-example.com.target" "nginx.service" ];
+          systemd.targets."acme-finished-example.test" = {};
+          systemd.services."acme-example.test" = {
+            wants = [ "acme-finished-example.test.target" ];
+            before = [ "acme-finished-example.test.target" "nginx.service" ];
             wantedBy = [ "nginx.service" ];
           };
-          services.nginx.virtualHosts."c.example.com" = {
+          services.nginx.virtualHosts."c.example.test" = {
             forceSSL = true;
-            sslCertificate = config.security.acme.certs."example.com".directory + "/cert.pem";
-            sslTrustedCertificate = config.security.acme.certs."example.com".directory + "/full.pem";
-            sslCertificateKey = config.security.acme.certs."example.com".directory + "/key.pem";
+            sslCertificate = config.security.acme.certs."example.test".directory + "/cert.pem";
+            sslTrustedCertificate = config.security.acme.certs."example.test".directory + "/full.pem";
+            sslCertificateKey = config.security.acme.certs."example.test".directory + "/key.pem";
             locations."/".root = pkgs.runCommand "docroot" {} ''
               mkdir -p "$out"
               echo hello world > "$out/index.html"
@@ -161,46 +158,44 @@ in import ./make-test-python.nix {
       client.start()
       dnsserver.start()
 
-      letsencrypt.wait_for_unit("default.target")
+      acme.wait_for_unit("default.target")
       dnsserver.wait_for_unit("pebble-challtestsrv.service")
       client.succeed(
-          'curl --data \'{"host": "acme-v02.api.letsencrypt.org", "addresses": ["${nodes.letsencrypt.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'
+          'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'
       )
       client.succeed(
-          'curl --data \'{"host": "standalone.com", "addresses": ["${nodes.acmeStandalone.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'
+          'curl --data \'{"host": "standalone.test", "addresses": ["${nodes.acmeStandalone.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'
       )
 
-      letsencrypt.start()
+      acme.start()
       acmeStandalone.start()
 
-      letsencrypt.wait_for_unit("default.target")
-      letsencrypt.wait_for_unit("pebble.service")
+      acme.wait_for_unit("default.target")
+      acme.wait_for_unit("pebble.service")
 
       with subtest("can request certificate with HTTPS-01 challenge"):
           acmeStandalone.wait_for_unit("default.target")
-          acmeStandalone.succeed("systemctl start acme-standalone.com.service")
-          acmeStandalone.wait_for_unit("acme-finished-standalone.com.target")
+          acmeStandalone.succeed("systemctl start acme-standalone.test.service")
+          acmeStandalone.wait_for_unit("acme-finished-standalone.test.target")
 
       client.wait_for_unit("default.target")
 
-      client.succeed("curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt")
-      client.succeed(
-          "curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt"
-      )
+      client.succeed("curl https://acme.test:15000/roots/0 > /tmp/ca.crt")
+      client.succeed("curl https://acme.test:15000/intermediate-keys/0 >> /tmp/ca.crt")
 
       with subtest("Can request certificate for nginx service"):
-          webserver.wait_for_unit("acme-finished-a.example.com.target")
+          webserver.wait_for_unit("acme-finished-a.example.test.target")
           client.succeed(
-              "curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF 'hello world'"
+              "curl --cacert /tmp/ca.crt https://a.example.test/ | grep -qF 'hello world'"
           )
 
       with subtest("Can add another certificate for nginx service"):
           webserver.succeed(
               "/run/current-system/fine-tune/child-1/bin/switch-to-configuration test"
           )
-          webserver.wait_for_unit("acme-finished-b.example.com.target")
+          webserver.wait_for_unit("acme-finished-b.example.test.target")
           client.succeed(
-              "curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF 'hello world'"
+              "curl --cacert /tmp/ca.crt https://b.example.test/ | grep -qF 'hello world'"
           )
 
       with subtest("Can request wildcard certificates using DNS-01 challenge"):
@@ -210,9 +205,9 @@ in import ./make-test-python.nix {
           webserver.succeed(
               "/run/current-system/fine-tune/child-2/bin/switch-to-configuration test"
           )
-          webserver.wait_for_unit("acme-finished-example.com.target")
+          webserver.wait_for_unit("acme-finished-example.test.target")
           client.succeed(
-              "curl --cacert /tmp/ca.crt https://c.example.com/ | grep -qF 'hello world'"
+              "curl --cacert /tmp/ca.crt https://c.example.test/ | grep -qF 'hello world'"
           )
     '';
 }
diff --git a/nixos/tests/common/acme/client/default.nix b/nixos/tests/common/acme/client/default.nix
@@ -0,0 +1,19 @@
+{ lib, nodes, pkgs, ... }:
+
+let
+  acme-ca = nodes.acme.config.test-support.acme.caCert;
+in
+
+{
+  networking.nameservers = [
+    nodes.acme.config.networking.primaryIPAddress
+  ];
+
+  security.acme = {
+    server = "https://acme.test/dir";
+    email = "hostmaster@example.test";
+    acceptTerms = true;
+  };
+
+  security.pki.certificateFiles = [ acme-ca ];
+}
diff --git a/nixos/tests/common/letsencrypt/default.nix → nixos/tests/common/acme/server/default.nix b/nixos/tests/common/letsencrypt/default.nix → nixos/tests/common/acme/server/default.nix
@@ -1,27 +1,27 @@
 # The certificate for the ACME service is exported as:
 #
-#   config.test-support.letsencrypt.caCert
+#   config.test-support.acme.caCert
 #
 # This value can be used inside the configuration of other test nodes to inject
 # the snakeoil certificate into security.pki.certificateFiles or into package
 # overlays.
 #
 # Another value that's needed if you don't use a custom resolver (see below for
-# notes on that) is to add the letsencrypt node as a nameserver to every node
+# notes on that) is to add the acme node as a nameserver to every node
 # that needs to acquire certificates using ACME, because otherwise the API host
-# for letsencrypt.org can't be resolved.
+# for acme.test can't be resolved.
 #
 # A configuration example of a full node setup using this would be this:
 #
 # {
-#   letsencrypt = import ./common/letsencrypt;
+#   acme = import ./common/acme/server;
 #
 #   example = { nodes, ... }: {
 #     networking.nameservers = [
-#       nodes.letsencrypt.config.networking.primaryIPAddress
+#       nodes.acme.config.networking.primaryIPAddress
 #     ];
 #     security.pki.certificateFiles = [
-#       nodes.letsencrypt.config.test-support.letsencrypt.caCert
+#       nodes.acme.config.test-support.acme.caCert
 #     ];
 #   };
 # }
@@ -33,8 +33,8 @@
 # override networking.nameservers like this:
 #
 # {
-#   letsencrypt = { nodes, ... }: {
-#     imports = [ ./common/letsencrypt ];
+#   acme = { nodes, ... }: {
+#     imports = [ ./common/acme/server ];
 #     networking.nameservers = [
 #       nodes.myresolver.config.networking.primaryIPAddress
 #     ];
@@ -55,16 +55,16 @@
 let
   snakeOilCerts = import ./snakeoil-certs.nix;
 
-  wfeDomain = "acme-v02.api.letsencrypt.org";
+  wfeDomain = "acme.test";
   wfeCertFile = snakeOilCerts.${wfeDomain}.cert;
   wfeKeyFile = snakeOilCerts.${wfeDomain}.key;
 
-  siteDomain = "letsencrypt.org";
+  siteDomain = "acme.test";
   siteCertFile = snakeOilCerts.${siteDomain}.cert;
   siteKeyFile = snakeOilCerts.${siteDomain}.key;
   pebble = pkgs.pebble;
   resolver = let
-    message = "You need to define a resolver for the letsencrypt test module.";
+    message = "You need to define a resolver for the acme test module.";
     firstNS = lib.head config.networking.nameservers;
   in if config.networking.nameservers == [] then throw message else firstNS;
 
@@ -83,9 +83,9 @@ let
   pebbleDataDir = "/root/pebble";
 
 in {
-  imports = [ ../resolver.nix ];
+  imports = [ ../../resolver.nix ];
 
-  options.test-support.letsencrypt.caCert = lib.mkOption {
+  options.test-support.acme.caCert = lib.mkOption {
     type = lib.types.path;
     description = ''
       A certificate file to use with the <literal>nodes</literal> attribute to
@@ -99,7 +99,7 @@ in {
       resolver.enable = let
         isLocalResolver = config.networking.nameservers == [ "127.0.0.1" ];
       in lib.mkOverride 900 isLocalResolver;
-      letsencrypt.caCert = snakeOilCerts.ca.cert;
+      acme.caCert = snakeOilCerts.ca.cert;
     };
 
     # This has priority 140, because modules/testing/test-instrumentation.nix

diff --git a/nixos/tests/common/letsencrypt/mkcerts.nix → nixos/tests/common/acme/server/mkcerts.nix b/nixos/tests/common/letsencrypt/mkcerts.nix → nixos/tests/common/acme/server/mkcerts.nix
@@ -1,10 +1,9 @@
 { pkgs ? import <nixpkgs> {}
 , lib ? pkgs.lib
-
-, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ]
+, domains ? [ "acme.test" ]
 }:
 
-pkgs.runCommand "letsencrypt-snakeoil-ca" {
+pkgs.runCommand "acme-snakeoil-ca" {
   nativeBuildInputs = [ pkgs.openssl ];
 } ''
   addpem() {

diff --git a/nixos/tests/common/letsencrypt/mkcerts.sh → nixos/tests/common/acme/server/mkcerts.sh b/nixos/tests/common/letsencrypt/mkcerts.sh → nixos/tests/common/acme/server/mkcerts.sh