From 26bae0456708d52c3e2bc3073a19701a72d96b32 Mon Sep 17 00:00:00 2001 From: Oliver Schmidt Date: Thu, 6 Jun 2024 14:28:54 +0200 Subject: [PATCH] tests/acme: check consistent account hash for legacy settings To allow migration from 23.11 to 24.05 without triggering re-registrations, the account hashing behaviour of the previous release can be retained by setting `security.acme.defaults.server` to `null`. We better also check for hash consistency with that setting to avoid unexpected account hash changes again. --- nixos/tests/acme.nix | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 379496583d25..2cba04f9d395 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -200,6 +200,14 @@ in { # Tests HTTP-01 verification using Lego's built-in web server http01lego.configuration = simpleConfig; + # account hash generation with default server from <= 23.11 + http01lego_legacyAccountHash.configuration = lib.mkMerge [ + simpleConfig + { + security.acme.defaults.server = lib.mkForce null; + } + ]; + renew.configuration = lib.mkMerge [ simpleConfig { @@ -424,7 +432,7 @@ in { backoff = BackoffTracker() - def switch_to(node, name): + def switch_to(node, name, allow_fail=False): # On first switch, this will create a symlink to the current system so that we can # quickly switch between derivations root_specs = "/tmp/specialisation" @@ -438,9 +446,14 @@ in { if rc > 0: switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration" - node.succeed( - f"{switcher_path} test" - ) + if not allow_fail: + node.succeed( + f"{switcher_path} test" + ) + else: + node.execute( + f"{switcher_path} test" + ) # Ensures the issuer of our cert matches the chain @@ -544,7 +557,7 @@ in { check_issuer(webserver, "http.example.test", "pebble") # Perform account hash test - with subtest("Assert that account hash didn't unexpected change"): + with subtest("Assert that account hash didn't unexpectedly change"): hash = webserver.succeed("ls /var/lib/acme/.lego/accounts/") print("Account hash: " + hash) assert hash.strip() == "d590213ed52603e9128d" @@ -727,5 +740,23 @@ in { webserver.wait_for_unit(f"acme-finished-{test_domain}.target") wait_for_server() check_connection_key_bits(client, test_domain, "384") + + # Perform http-01 w/ lego test again, but using the pre-24.05 account hashing + # (see https://github.com/NixOS/nixpkgs/pull/317257) + with subtest("Check account hashing compatibility with pre-24.05 settings"): + webserver.succeed("rm -rf /var/lib/acme/.lego/accounts/*") + switch_to(webserver, "http01lego_legacyAccountHash", allow_fail=True) + # unit is failed, but in a way that this throws no exception: + try: + webserver.wait_for_unit("acme-finished-http.example.test.target") + except Exception: + # The unit is allowed – or even expected – to fail due to not being able to + # reach the actual letsencrypt server. We only use it for serialising the + # test execution, such that the account check is done after the service run + # involving the account creation has been executed at least once. + pass + hash = webserver.succeed("ls /var/lib/acme/.lego/accounts/") + print("Account hash: " + hash) + assert hash.strip() == "1ccf607d9aa280e9af00" ''; }