nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix

{ pkgs ? import <nixpkgs> {}
, lib ? pkgs.lib

, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ]
}:

pkgs.runCommand "letsencrypt-snakeoil-ca" {
  nativeBuildInputs = [ pkgs.openssl ];
} ''
  addpem() {
    local file="$1"; shift
    local storeFileName="$(IFS=.; echo "$*")"

    echo -n "  " >> "$out"

    # Every following argument is an attribute, so let's recurse and check
    # every attribute whether it must be quoted and write it into $out.
    while [ -n "$1" ]; do
      if expr match "$1" '^[a-zA-Z][a-zA-Z0-9]*$' > /dev/null; then
        echo -n "$1" >> "$out"
      else
        echo -n '"' >> "$out"
        echo -n "$1" | sed -e 's/["$]/\\&/g' >> "$out"
        echo -n '"' >> "$out"
      fi
      shift
      [ -z "$1" ] || echo -n . >> "$out"
    done

    echo " = builtins.toFile \"$storeFileName\" '''" >> "$out"
    sed -e 's/^/    /' "$file" >> "$out"

    echo "  ''';" >> "$out"
  }

  echo '# Generated via mkcert.sh in the same directory.' > "$out"
  echo '{' >> "$out"

  openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
    -subj '/CN=Snakeoil CA' -nodes -out ca.pem -keyout ca.key

  addpem ca.key ca key
  addpem ca.pem ca cert

  ${lib.concatMapStrings (fqdn: let
    opensslConfig = pkgs.writeText "snakeoil.cnf" ''
      [req]
      default_bits = 4096
      prompt = no
      default_md = sha256
      req_extensions = req_ext
      distinguished_name = dn
      [dn]
      CN = ${fqdn}
      [req_ext]
      subjectAltName = DNS:${fqdn}
    '';
  in ''
    export OPENSSL_CONF=${lib.escapeShellArg opensslConfig}
    openssl genrsa -out snakeoil.key 4096
    openssl req -new -key snakeoil.key -out snakeoil.csr
    openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \
      -CA ca.pem -CAkey ca.key -out snakeoil.pem -days 36500
    addpem snakeoil.key ${lib.escapeShellArg fqdn} key
    addpem snakeoil.pem ${lib.escapeShellArg fqdn} cert
  '') domains}

  echo '}' >> "$out"
''
nixos/tests/letsencrypt: Hardcode certs and keys In 0c7c1660f78e4f6befe0a210e1a9efae783a1733 I have set allowSubstitutes to false, which avoided the substitution of the certificates. Unfortunately substitution may still happen later when the certificate is merged with the CA bundle. So the merged CA bundle might be substituted from a binary cache but the certificate itself is built locally, which could result in a different certificate in the bundle. So instead of adding just yet another workaround, I've now hardcoded all the certificates and keys in a separate file. This also moves letsencrypt.nix into its own directory so we don't mess up nixos/tests/common too much. This was long overdue and should finally make the dependency graph for the ACME test more deterministic. Signed-off-by: aszlig <aszlig@nix.build> 2018-07-12 00:56:48 +02:00			`{ pkgs ? import <nixpkgs> {}`
			`, lib ? pkgs.lib`

nixos/tests/letsencrypt: use Pebble instead of Boulder Let's encrypt bumped ACME to V2. We need to update our nixos test to be compatible with this new protocol version. We decided to drop the Boulder ACME server in favor of the more integration test friendly Pebble. - overriding cacert not necessary - this avoids rebuilding lots of packages needlessly - nixos/tests/acme: use pebble's ca for client tests - pebble always generates its own ca which has to be fetched TODO: write proper commit msg :) 2019-10-18 19:13:04 +02:00			`, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ]`
nixos/tests/letsencrypt: Hardcode certs and keys In 0c7c1660f78e4f6befe0a210e1a9efae783a1733 I have set allowSubstitutes to false, which avoided the substitution of the certificates. Unfortunately substitution may still happen later when the certificate is merged with the CA bundle. So the merged CA bundle might be substituted from a binary cache but the certificate itself is built locally, which could result in a different certificate in the bundle. So instead of adding just yet another workaround, I've now hardcoded all the certificates and keys in a separate file. This also moves letsencrypt.nix into its own directory so we don't mess up nixos/tests/common too much. This was long overdue and should finally make the dependency graph for the ACME test more deterministic. Signed-off-by: aszlig <aszlig@nix.build> 2018-07-12 00:56:48 +02:00			`}:`

			`pkgs.runCommand "letsencrypt-snakeoil-ca" {`
			`nativeBuildInputs = [ pkgs.openssl ];`
			`} ''`
			`addpem() {`
			`local file="$1"; shift`
			`local storeFileName="$(IFS=.; echo "$*")"`

			`echo -n " " >> "$out"`

			`# Every following argument is an attribute, so let's recurse and check`
			`# every attribute whether it must be quoted and write it into $out.`
			`while [ -n "$1" ]; do`
			`if expr match "$1" '^[a-zA-Z][a-zA-Z0-9]*$' > /dev/null; then`
			`echo -n "$1" >> "$out"`
			`else`
			`echo -n '"' >> "$out"`
			`echo -n "$1" \| sed -e 's/["$]/\\&/g' >> "$out"`
			`echo -n '"' >> "$out"`
			`fi`
			`shift`
			`[ -z "$1" ] \|\| echo -n . >> "$out"`
			`done`

			`echo " = builtins.toFile \"$storeFileName\" '''" >> "$out"`
			`sed -e 's/^/ /' "$file" >> "$out"`

			`echo " ''';" >> "$out"`
			`}`

			`echo '# Generated via mkcert.sh in the same directory.' > "$out"`
			`echo '{' >> "$out"`

			`openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \`
			`-subj '/CN=Snakeoil CA' -nodes -out ca.pem -keyout ca.key`

			`addpem ca.key ca key`
			`addpem ca.pem ca cert`

			`${lib.concatMapStrings (fqdn: let`
			`opensslConfig = pkgs.writeText "snakeoil.cnf" ''`
			`[req]`
			`default_bits = 4096`
			`prompt = no`
			`default_md = sha256`
			`req_extensions = req_ext`
			`distinguished_name = dn`
			`[dn]`
			`CN = ${fqdn}`
			`[req_ext]`
			`subjectAltName = DNS:${fqdn}`
			`'';`
			`in ''`
			`export OPENSSL_CONF=${lib.escapeShellArg opensslConfig}`
			`openssl genrsa -out snakeoil.key 4096`
			`openssl req -new -key snakeoil.key -out snakeoil.csr`
			`openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \`
			`-CA ca.pem -CAkey ca.key -out snakeoil.pem -days 36500`
			`addpem snakeoil.key ${lib.escapeShellArg fqdn} key`
			`addpem snakeoil.pem ${lib.escapeShellArg fqdn} cert`
			`'') domains}`

			`echo '}' >> "$out"`
			`''`