From 61194f0f1f91de93425e7504fb8b950566da37bb Mon Sep 17 00:00:00 2001 From: Tobias Stenzel Date: Fri, 12 Jun 2020 11:47:53 +0200 Subject: [PATCH] ACME: use HTTP for the Nginx readyness check This avoids conflicts with other services that want to use port 443. Our current use case for this is a TURN server using 443. Nginx can be configured to only listen on port 80 now. The acme client uses HTTP for challenges. Case 126629 --- nixos/modules/security/acme.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 1d427394c68f8..2f07f2ef2210b 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -214,17 +214,17 @@ in StateDirectory = lpath; StateDirectoryMode = rights; WorkingDirectory = "/var/lib/${lpath}"; - ExecStartPre = - let + ExecStartPre = + let script = pkgs.writeScript "acme-pre-start" '' #!${pkgs.runtimeShell} -e mkdir -p ${acmeChallengeDir} chown ${data.user}:${data.group} ${acmeChallengeDir} touch ${acmeChallengeDir}/${checkFile} for x in 1 2 3 4 5; do - echo "Checking if web server is serving the challenge dir..." - ${pkgs.curl}/bin/curl --insecure --output /dev/null --silent --head --fail \ - https://${cert}/.well-known/acme-challenge/${checkFile} && + echo "Checking if web server is serving the challenge dir..." + ${pkgs.curl}/bin/curl --output /dev/null --silent --head --fail \ + http://${cert}/.well-known/acme-challenge/${checkFile} && rm ${acmeChallengeDir}/${checkFile} && exit 0 @@ -236,9 +236,9 @@ in ''; in "+${script}"; - + ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStopPost = + ExecStopPost = let script = pkgs.writeScript "acme-post-stop" '' #!${pkgs.runtimeShell} -e