nixos/tests/letsencrypt: Hardcode certs and keys

In 0c7c166 I have set allowSubstitutes to false, which avoided the substitution of the certificates. Unfortunately substitution may still happen later when the certificate is merged with the CA bundle. So the merged CA bundle might be substituted from a binary cache but the certificate itself is built locally, which could result in a different certificate in the bundle. So instead of adding just yet another workaround, I've now hardcoded all the certificates and keys in a separate file. This also moves letsencrypt.nix into its own directory so we don't mess up nixos/tests/common too much. This was long overdue and should finally make the dependency graph for the ACME test more deterministic. Signed-off-by: aszlig <[email protected]>
NixOS · Jul 12, 2018 · 7b87554 · 7b87554
1 parent c21b1ed
commit 7b87554
Show file tree

Hide file tree

Showing 6 changed files with 342 additions and 52 deletions.
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
@@ -29,7 +29,7 @@ in import ./make-test.nix {
   name = "acme";
 
   nodes = {
-    letsencrypt = ./common/letsencrypt.nix;
+    letsencrypt = ./common/letsencrypt;
 
     webserver = { config, pkgs, ... }: {
       imports = [ commonConfig ];

diff --git a/nixos/tests/common/letsencrypt.nix → nixos/tests/common/letsencrypt/default.nix b/nixos/tests/common/letsencrypt.nix → nixos/tests/common/letsencrypt/default.nix
@@ -17,7 +17,7 @@
 # A configuration example of a full node setup using this would be this:
 #
 # {
-#   letsencrypt = import ./common/letsencrypt.nix;
+#   letsencrypt = import ./common/letsencrypt;
 #
 #   example = { nodes, ... }: {
 #     networking.nameservers = [
@@ -30,14 +30,14 @@
 # }
 #
 # By default, this module runs a local resolver, generated using resolver.nix
-# from the same directory to automatically discover all zones in the network.
+# from the parent directory to automatically discover all zones in the network.
 #
 # If you do not want this and want to use your own resolver, you can just
 # override networking.nameservers like this:
 #
 # {
 #   letsencrypt = { nodes, ... }: {
-#     imports = [ ./common/letsencrypt.nix ];
+#     imports = [ ./common/letsencrypt ];
 #     networking.nameservers = [
 #       nodes.myresolver.config.networking.primaryIPAddress
 #     ];
@@ -164,8 +164,8 @@ let
         -e 's,exec \./bin/,,' \
         test/startservers.py
 
-      cat "${snakeOilCa}/ca.key" > test/test-ca.key
-      cat "${snakeOilCa}/ca.pem" > test/test-ca.pem
+      cat ${lib.escapeShellArg snakeOilCerts.ca.key} > test/test-ca.key
+      cat ${lib.escapeShellArg snakeOilCerts.ca.cert} > test/test-ca.pem
     '';
 
     # Until vendored pkcs11 is go 1.9 compatible
@@ -206,53 +206,15 @@ let
     1:/var/lib/softhsm/slot1.db
   '';
 
-  snakeOilCa = pkgs.runCommand "snakeoil-ca" {
-    buildInputs = [ pkgs.openssl ];
-    allowSubstitutes = false;
-  } ''
-    mkdir "$out"
-    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
-      -subj '/CN=Snakeoil CA' -nodes \
-      -out "$out/ca.pem" -keyout "$out/ca.key"
-  '';
-
-  createAndSignCert = fqdn: let
-    snakeoilCertConf = pkgs.writeText "snakeoil.cnf" ''
-      [req]
-      default_bits = 4096
-      prompt = no
-      default_md = sha256
-      req_extensions = req_ext
-      distinguished_name = dn
-      [dn]
-      CN = ${fqdn}
-      [req_ext]
-      subjectAltName = DNS:${fqdn}
-    '';
-  in pkgs.runCommand "snakeoil-certs-${fqdn}" {
-    buildInputs = [ pkgs.openssl ];
-    allowSubstitutes = false;
-  } ''
-    mkdir "$out"
-    openssl genrsa -out "$out/snakeoil.key" 4096
-    openssl req -new -key "$out/snakeoil.key" \
-      -config ${lib.escapeShellArg snakeoilCertConf} \
-      -out snakeoil.csr
-    openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \
-      -CA "${snakeOilCa}/ca.pem" -CAkey "${snakeOilCa}/ca.key" \
-      -extfile ${lib.escapeShellArg snakeoilCertConf} \
-      -out "$out/snakeoil.pem" -days 36500
-  '';
+  snakeOilCerts = import ./snakeoil-certs.nix;
 
-  wfeCerts = createAndSignCert wfeDomain;
   wfeDomain = "acme-v01.api.letsencrypt.org";
-  wfeCertFile = "${wfeCerts}/snakeoil.pem";
-  wfeKeyFile = "${wfeCerts}/snakeoil.key";
+  wfeCertFile = snakeOilCerts.${wfeDomain}.cert;
+  wfeKeyFile = snakeOilCerts.${wfeDomain}.key;
 
-  siteCerts = createAndSignCert siteDomain;
   siteDomain = "letsencrypt.org";
-  siteCertFile = "${siteCerts}/snakeoil.pem";
-  siteKeyFile = "${siteCerts}/snakeoil.key";
+  siteCertFile = snakeOilCerts.${siteDomain}.cert;
+  siteKeyFile = snakeOilCerts.${siteDomain}.key;
 
   # Retrieved via:
   # curl -s -I https://acme-v01.api.letsencrypt.org/terms \
@@ -365,7 +327,7 @@ let
   }) components;
 
 in {
-  imports = [ ./resolver.nix ];
+  imports = [ ../resolver.nix ];
 
   options.test-support.letsencrypt.caCert = lib.mkOption {
     type = lib.types.path;
@@ -381,7 +343,7 @@ in {
       resolver.enable = let
         isLocalResolver = config.networking.nameservers == [ "127.0.0.1" ];
       in lib.mkOverride 900 isLocalResolver;
-      letsencrypt.caCert = "${snakeOilCa}/ca.pem";
+      letsencrypt.caCert = snakeOilCerts.ca.cert;
     };
 
     # This has priority 140, because modules/testing/test-instrumentation.nix

diff --git a/nixos/tests/common/letsencrypt/mkcerts.nix b/nixos/tests/common/letsencrypt/mkcerts.nix
@@ -0,0 +1,69 @@
+{ pkgs ? import <nixpkgs> {}
+, lib ? pkgs.lib
+
+, domains ? [ "acme-v01.api.letsencrypt.org" "letsencrypt.org" ]
+}:
+
+pkgs.runCommand "letsencrypt-snakeoil-ca" {
+  nativeBuildInputs = [ pkgs.openssl ];
+} ''
+  addpem() {
+    local file="$1"; shift
+    local storeFileName="$(IFS=.; echo "$*")"
+
+    echo -n "  " >> "$out"
+
+    # Every following argument is an attribute, so let's recurse and check
+    # every attribute whether it must be quoted and write it into $out.
+    while [ -n "$1" ]; do
+      if expr match "$1" '^[a-zA-Z][a-zA-Z0-9]*$' > /dev/null; then
+        echo -n "$1" >> "$out"
+      else
+        echo -n '"' >> "$out"
+        echo -n "$1" | sed -e 's/["$]/\\&/g' >> "$out"
+        echo -n '"' >> "$out"
+      fi
+      shift
+      [ -z "$1" ] || echo -n . >> "$out"
+    done
+
+    echo " = builtins.toFile \"$storeFileName\" '''" >> "$out"
+    sed -e 's/^/    /' "$file" >> "$out"
+
+    echo "  ''';" >> "$out"
+  }
+
+  echo '# Generated via mkcert.sh in the same directory.' > "$out"
+  echo '{' >> "$out"
+
+  openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
+    -subj '/CN=Snakeoil CA' -nodes -out ca.pem -keyout ca.key
+
+  addpem ca.key ca key
+  addpem ca.pem ca cert
+
+  ${lib.concatMapStrings (fqdn: let
+    opensslConfig = pkgs.writeText "snakeoil.cnf" ''
+      [req]
+      default_bits = 4096
+      prompt = no
+      default_md = sha256
+      req_extensions = req_ext
+      distinguished_name = dn
+      [dn]
+      CN = ${fqdn}
+      [req_ext]
+      subjectAltName = DNS:${fqdn}
+    '';
+  in ''
+    export OPENSSL_CONF=${lib.escapeShellArg opensslConfig}
+    openssl genrsa -out snakeoil.key 4096
+    openssl req -new -key snakeoil.key -out snakeoil.csr
+    openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \
+      -CA ca.pem -CAkey ca.key -out snakeoil.pem -days 36500
+    addpem snakeoil.key ${lib.escapeShellArg fqdn} key
+    addpem snakeoil.pem ${lib.escapeShellArg fqdn} cert
+  '') domains}
+
+  echo '}' >> "$out"
+''
diff --git a/nixos/tests/common/letsencrypt/mkcerts.sh b/nixos/tests/common/letsencrypt/mkcerts.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p nix bash -i bash
+set -e
+cd "$(dirname "$0")"
+storepath="$(nix-build --no-out-link mkcerts.nix)"
+cat "$storepath" > snakeoil-certs.nix