diff options
author | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2019-10-18 19:13:04 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2019-10-23 21:17:17 +0200 |
commit | 0c0af28cd59766f961efefea8ad4d14343a82821 (patch) | |
tree | 22ab3abf6af46a1ab7931e7752d1ad639f3afa88 /nixos/modules/security/acme.nix | |
parent | 38e84151e04f4b31dd729abb28db4159045bfd41 (diff) | |
download | nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.tar nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.tar.gz nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.tar.bz2 nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.tar.lz nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.tar.xz nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.tar.zst nixlib-0c0af28cd59766f961efefea8ad4d14343a82821.zip |
nixos/tests/letsencrypt: use Pebble instead of Boulder
Let's encrypt bumped ACME to V2. We need to update our nixos test to be compatible with this new protocol version. We decided to drop the Boulder ACME server in favor of the more integration test friendly Pebble. - overriding cacert not necessary - this avoids rebuilding lots of packages needlessly - nixos/tests/acme: use pebble's ca for client tests - pebble always generates its own ca which has to be fetched TODO: write proper commit msg :)
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index e35ea0c7b927..e08c7e965eef 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -203,6 +203,11 @@ in description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; wants = [ "network-online.target" ]; + # simp_le uses requests, which uses certifi under the hood, + # which doesn't respect the system trust store. + # At least in the acme test, we provision a fake CA, impersonating the LE endpoint. + # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else + environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { Type = "oneshot"; SuccessExitStatus = [ "0" "1" ]; |