Skip to content

Commit

Permalink
ACME: use HTTP for the Nginx readyness check
Browse files Browse the repository at this point in the history 
This avoids conflicts with other services that want to use port 443.
Our current use case for this is a TURN server using 443.
Nginx can be configured to only listen on port 80 now.
The acme client uses HTTP for challenges.

Case 126629
  • Loading branch information
@dpausp
dpausp committed Jun 12, 2020
1 parent 49de5cc commit 61194f0
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,17 +214,17 @@ in
StateDirectory = lpath;
StateDirectoryMode = rights;
WorkingDirectory = "/var/lib/${lpath}";
ExecStartPre =
let
ExecStartPre =
let
script = pkgs.writeScript "acme-pre-start" ''
#!${pkgs.runtimeShell} -e
mkdir -p ${acmeChallengeDir}
chown ${data.user}:${data.group} ${acmeChallengeDir}
touch ${acmeChallengeDir}/${checkFile}
for x in 1 2 3 4 5; do
echo "Checking if web server is serving the challenge dir..."
${pkgs.curl}/bin/curl --insecure --output /dev/null --silent --head --fail \
https://${cert}/.well-known/acme-challenge/${checkFile} &&
echo "Checking if web server is serving the challenge dir..."
${pkgs.curl}/bin/curl --output /dev/null --silent --head --fail \
http://${cert}/.well-known/acme-challenge/${checkFile} &&
rm ${acmeChallengeDir}/${checkFile} &&
exit 0
Expand All @@ -236,9 +236,9 @@ in
'';
in
"+${script}";

ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}";
ExecStopPost =
ExecStopPost =
let
script = pkgs.writeScript "acme-post-stop" ''
#!${pkgs.runtimeShell} -e
Expand Down

0 comments on commit 61194f0

Please sign in to comment.