diff options
author | Emily <vcs@emily.moe> | 2020-02-23 03:46:35 +0000 |
---|---|---|
committer | Emily <vcs@emily.moe> | 2020-02-23 04:10:34 +0000 |
commit | 8ecbd97f82997063192cd97188422b93b90b95ca (patch) | |
tree | 427d0e2c403e0ad0ca9d2d358dfc91c8bdfea53b /nixos | |
parent | ea79a830dcf9c0059656da7f52835d2663d5c436 (diff) | |
download | nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.gz nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.bz2 nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.lz nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.xz nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.zst nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.zip |
nixos/acme: move the crt to fullchain.pem
lego already bundles the chain with the certificate,[1] so the current code, designed for simp_le, was resulting in duplicate certificate chains, manifesting as "Chain issues: Incorrect order, Extra certs" on the Qualys SSL Server Test. cert.pem stays around as a symlink for backwards compatibility. [1] https://github.com/go-acme/lego/blob/5cdc0002e9abb2463fffc962dadc3479f72d7486/acme/api/certificate.go#L40-L44
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 7da6666f79c6..238c18242c19 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -325,10 +325,10 @@ in KEY=${spath}/certificates/${keyName}.key if [ -e $KEY -a $KEY -nt key.pem ]; then cp -p ${spath}/certificates/${keyName}.key key.pem - cp -p ${spath}/certificates/${keyName}.crt cert.pem + cp -p ${spath}/certificates/${keyName}.crt fullchain.pem cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem - cat cert.pem chain.pem > fullchain.pem - cat key.pem cert.pem chain.pem > full.pem + ln -s fullchain.pem cert.pem + cat key.pem fullchain.pem > full.pem chmod ${rights} *.pem chown '${data.user}:${data.group}' *.pem fi |