movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/tests/acme: Add CSR test

Browse source
This commit is contained in:
Lucas Savva 2025-04-28 22:23:32 +01:00 committed by Martin Weinelt
parent 754412b4ae
commit eeaa42f670
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
1 changed files with 44 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

44
nixos/tests/acme/http01-builtin.nix
View file

@ -99,6 +99,45 @@ in
"builtin-3.${domain}".listenHTTP = ":80";
};
};
csr.configuration =
let
conf = pkgs.writeText "openssl.csr.conf" ''
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
CN = ${config.networking.fqdn}
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = ${config.networking.fqdn}
'';
csrData =
pkgs.runCommandNoCC "csr-and-key"
{
buildInputs = [ pkgs.openssl ];
}
''
mkdir -p $out
openssl req -new -newkey rsa:2048 -nodes \
-keyout $out/key.pem \
-out $out/request.csr \
-config ${conf}
'';
in
{
security.acme.certs."${config.networking.fqdn}" = {
csr = "${csrData}/request.csr";
csrKey = "${csrData}/key.pem";
};
};
};
};
};
@ -211,5 +250,10 @@ in
with subtest("Validate permissions (self-signed)"):
check_permissions(builtin, cert, "acme")
with subtest("Can renew using a CSR"):
builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")
switch_to(builtin, "csr")
check_issuer(builtin, cert, "pebble")
'';
}