Merge pull request #72007 from NinjaTrappeur/nin-acme-custom-dir-uri

nixos/acme: Custom ACME endpoint

nixos/modules/security/acme.nix

@@ -20,6 +20,16 @@ let
         '';
       };
 
+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          https://acme-v02.api.letsencrypt.org/directory, if unset.
+        '';
+      };
+
       domain = mkOption {
         type = types.str;
         default = name;
@@ -109,7 +119,15 @@ in
 {
 
   ###### interface
+  imports = [
+    (mkRemovedOptionModule [ "security" "acme" "production" ] ''
+      Use security.acme.server to define your staging ACME server URL instead.
 
+      To use the let's encrypt staging server, use security.acme.server =
+      "https://acme-staging-v02.api.letsencrypt.org/directory".
+    ''
+    )
+  ];
   options = {
     security.acme = {
 
@@ -129,6 +147,16 @@ in
         '';
       };
 
+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
+        '';
+      };
+
       preliminarySelfsigned = mkOption {
         type = types.bool;
         default = true;
@@ -142,20 +170,6 @@ in
         '';
       };
 
-      production = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          If set to true, use Let's Encrypt's production environment
-          instead of the staging environment. The main benefit of the
-          staging environment is to get much higher rate limits.
-
-          See
-          <literal>https://letsencrypt.org/docs/staging-environment</literal>
-          for more detail.
-        '';
-      };
-
       certs = mkOption {
         default = { };
         type = with types; attrsOf (submodule certOpts);
@@ -198,7 +212,7 @@ in
                           ++ optionals (data.email != null) [ "--email" data.email ]
                           ++ concatMap (p: [ "-f" p ]) data.plugins
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
-                          ++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"];
+                          ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
                 acmeService = {
                   description = "Renew ACME Certificate for ${cert}";
                   after = [ "network.target" "network-online.target" ];

nixos/tests/acme.nix

@@ -12,9 +12,12 @@ in import ./make-test.nix {
       networking.extraHosts = ''
         ${config.networking.primaryIPAddress} standalone.com
       '';
-      security.acme.certs."standalone.com" = {
+      security.acme = {
+        server = "https://acme-v02.api.letsencrypt.org/dir";
+        certs."standalone.com" = {
             webroot = "/var/lib/acme/acme-challenges";
         };
+      };
       systemd.targets."acme-finished-standalone.com" = {};
       systemd.services."acme-standalone.com" = {
         wants = [ "acme-finished-standalone.com.target" ];
@@ -54,6 +57,8 @@ in import ./make-test.nix {
         '';
       };
 
+      security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";
+
       nesting.clone = [
         ({pkgs, ...}: {
 

nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch

@@ -1,25 +0,0 @@
-From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
-Date: Mon, 21 Oct 2019 10:56:13 +0200
-Subject: [PATCH] Change ACME directory endpoint to /directory
-
----
- wfe/wfe.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/wfe/wfe.go b/wfe/wfe.go
-index e24797f..10d29fb 100644
---- a/wfe/wfe.go
-+++ b/wfe/wfe.go
-@@ -39,7 +39,7 @@ const (
- 	// Note: We deliberately pick endpoint paths that differ from Boulder to
- 	// exercise clients processing of the /directory response
- 	// We export the DirectoryPath so that the pebble binary can reference it
--	DirectoryPath     = "/dir"
-+	DirectoryPath     = "/directory"
- 	noncePath         = "/nonce-plz"
- 	newAccountPath    = "/sign-me-up"
- 	acctPath          = "/my-account/"
--- 
-2.23.0
-

nixos/tests/common/letsencrypt/default.nix

@@ -62,17 +62,7 @@ let
   siteDomain = "letsencrypt.org";
   siteCertFile = snakeOilCerts.${siteDomain}.cert;
   siteKeyFile = snakeOilCerts.${siteDomain}.key;
-  pebble = pkgs.pebble.overrideAttrs (attrs: {
+  pebble = pkgs.pebble;
-    # The pebble directory endpoint is /dir when the bouder (official
-    # ACME server) is /directory. Sadly, this endpoint is hardcoded,
-    # we have to patch it.
-    #
-    # Tried to upstream, that said upstream maintainers rather keep
-    # this custom endpoint to test ACME clients robustness. See
-    # https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242
-    patches = [ ./0001-Change-ACME-directory-endpoint-to-directory.patch ];
-  });
-
   resolver = let
     message = "You need to define a resolver for the letsencrypt test module.";
     firstNS = lib.head config.networking.nameservers;