improve ssl block
This commit is contained in:
parent
3211585373
commit
7e2f76e7f9
3 changed files with 56 additions and 20 deletions
|
@ -257,8 +257,13 @@ in
|
|||
script = ''
|
||||
mkdir -p /etc/ssl/certs
|
||||
|
||||
rm -f /etc/ssl/certs/ca-bundle.crt
|
||||
rm -f /etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
cat /etc/static/ssl/certs/ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
|
||||
cat /etc/static/ssl/certs/ca-bundle.crt > /etc/ssl/certs/ca-certificates.crt
|
||||
for file in ${lib.concatStringsSep " " (lib.mapAttrsToList (_name: caCfg: caCfg.paths.cert) cfg.cas.selfsigned)}; do
|
||||
cat "$file" >> /etc/ssl/certs/ca-bundle.crt
|
||||
cat "$file" >> /etc/ssl/certs/ca-certificates.crt
|
||||
done
|
||||
'';
|
||||
|
|
|
@ -96,22 +96,22 @@ To use either a self-signed certificates or a Let's Encrypt generated one, we ca
|
|||
where the certificate and the private key are located:
|
||||
|
||||
```nix
|
||||
config.shb.certs.<implementation>.<name>.paths.cert
|
||||
config.shb.certs.<implementation>.<name>.paths.key
|
||||
config.shb.certs.certs.<implementation>.<name>.paths.cert
|
||||
config.shb.certs.certs.<implementation>.<name>.paths.key
|
||||
```
|
||||
|
||||
For example:
|
||||
|
||||
```nix
|
||||
config.shb.certs.selfsigned."example.com".paths.cert
|
||||
config.shb.certs.selfsigned."example.com".paths.key
|
||||
config.shb.certs.certs.selfsigned."example.com".paths.cert
|
||||
config.shb.certs.certs.selfsigned."example.com".paths.key
|
||||
```
|
||||
We can then configure Nginx to use those certificates:
|
||||
|
||||
```nix
|
||||
services.nginx.virtualHosts."example.com" =
|
||||
let
|
||||
cert = config.shb.certs.selfsigned."example.com";
|
||||
cert = config.shb.certs.certs.selfsigned."example.com";
|
||||
in
|
||||
{
|
||||
onlySSL = true;
|
||||
|
@ -130,8 +130,8 @@ certificate to the generated:
|
|||
|
||||
```nix
|
||||
systemd.services.nginx = {
|
||||
after = [ config.shb.certs.selfsigned."example.com".systemdService ];
|
||||
requires = [ config.shb.certs.selfsigned."example.com".systemdService ];
|
||||
after = [ config.shb.certs.certs.selfsigned."example.com".systemdService ];
|
||||
requires = [ config.shb.certs.certs.selfsigned."example.com".systemdService ];
|
||||
};
|
||||
```
|
||||
|
||||
|
|
|
@ -18,31 +18,46 @@
|
|||
};
|
||||
};
|
||||
certs.selfsigned = {
|
||||
mycert = {
|
||||
top = {
|
||||
ca = config.shb.certs.cas.selfsigned.myca;
|
||||
|
||||
domain = "example.com";
|
||||
};
|
||||
subdomain = {
|
||||
ca = config.shb.certs.cas.selfsigned.myca;
|
||||
|
||||
domain = "subdomain.example.com";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# The configuration below is to create a webserver that uses the server certificate.
|
||||
networking.hosts."127.0.0.1" = [ "example.com" ];
|
||||
networking.hosts."127.0.0.1" = [ "example.com" "subdomain.example.com" "wrong.example.com" ];
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."example.com" =
|
||||
{
|
||||
onlySSL = true;
|
||||
sslCertificate = config.shb.certs.certs.selfsigned.mycert.paths.cert;
|
||||
sslCertificateKey = config.shb.certs.certs.selfsigned.mycert.paths.key;
|
||||
sslCertificate = config.shb.certs.certs.selfsigned.top.paths.cert;
|
||||
sslCertificateKey = config.shb.certs.certs.selfsigned.top.paths.key;
|
||||
locations."/".extraConfig = ''
|
||||
add_header Content-Type text/plain;
|
||||
return 200 'It works!';
|
||||
return 200 'Top domain';
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."subdomain.example.com" =
|
||||
{
|
||||
onlySSL = true;
|
||||
sslCertificate = config.shb.certs.certs.selfsigned.subdomain.paths.cert;
|
||||
sslCertificateKey = config.shb.certs.certs.selfsigned.subdomain.paths.key;
|
||||
locations."/".extraConfig = ''
|
||||
add_header Content-Type text/plain;
|
||||
return 200 'Subdomain';
|
||||
'';
|
||||
};
|
||||
systemd.services.nginx = {
|
||||
after = [ config.shb.certs.certs.selfsigned.mycert.systemdService ];
|
||||
requires = [ config.shb.certs.certs.selfsigned.mycert.systemdService ];
|
||||
after = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
|
||||
requires = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -51,7 +66,8 @@
|
|||
let
|
||||
myca = nodes.server.shb.certs.cas.selfsigned.myca;
|
||||
myotherca = nodes.server.shb.certs.cas.selfsigned.myotherca;
|
||||
mycert = nodes.server.shb.certs.certs.selfsigned.mycert;
|
||||
top = nodes.server.shb.certs.certs.selfsigned.top;
|
||||
subdomain = nodes.server.shb.certs.certs.selfsigned.subdomain;
|
||||
in
|
||||
''
|
||||
start_all()
|
||||
|
@ -61,16 +77,31 @@
|
|||
server.wait_for_file("${myca.paths.cert}")
|
||||
server.wait_for_file("${myotherca.paths.key}")
|
||||
server.wait_for_file("${myotherca.paths.cert}")
|
||||
server.wait_for_file("${mycert.paths.key}")
|
||||
server.wait_for_file("${mycert.paths.cert}")
|
||||
server.wait_for_file("${top.paths.key}")
|
||||
server.wait_for_file("${top.paths.cert}")
|
||||
server.wait_for_file("${subdomain.paths.key}")
|
||||
server.wait_for_file("${subdomain.paths.cert}")
|
||||
|
||||
# Wait for jkkk
|
||||
server.require_unit_state("${nodes.server.shb.certs.systemdService}", "inactive")
|
||||
|
||||
with subtest("Certificate is trusted in curl"):
|
||||
machine.wait_for_unit("nginx")
|
||||
machine.wait_for_open_port(443)
|
||||
machine.succeed("curl --fail-with-body -v https://example.com")
|
||||
|
||||
with subtest("Certificate is trusted in curl"):
|
||||
resp = machine.succeed("curl --fail-with-body -v https://example.com")
|
||||
if resp != "Top domain":
|
||||
raise Exception('Unexpected response, got: {}'.format(resp))
|
||||
|
||||
resp = machine.succeed("curl --fail-with-body -v https://subdomain.example.com")
|
||||
if resp != "Subdomain":
|
||||
raise Exception('Unexpected response, got: {}'.format(resp))
|
||||
|
||||
with subtest("Fail if certificate is not in CA bundle"):
|
||||
machine.fail("curl --cacert /etc/static/ssl/certs/ca-bundle.crt --fail-with-body -v https://example.com")
|
||||
machine.fail("curl --cacert /etc/static/ssl/certs/ca-bundle.crt --fail-with-body -v https://subdomain.example.com")
|
||||
machine.fail("curl --cacert /etc/static/ssl/certs/ca-certificates.crt --fail-with-body -v https://example.com")
|
||||
machine.fail("curl --cacert /etc/static/ssl/certs/ca-certificates.crt --fail-with-body -v https://subdomain.example.com")
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue