From: Ismaƫl Bouya Date: Sat, 23 Oct 2021 09:14:07 +0000 (+0200) Subject: Fix issue in ISRG script that is not idempotent X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=4ec2d441373e1115923e5258659c5a39cafcce4e;p=perso%2FImmae%2FConfig%2FNix.git Fix issue in ISRG script that is not idempotent --- diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index b97d0bc..9879946 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -147,8 +147,12 @@ sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"; }; fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" '' - cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \ - sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem + for file in chain fullchain full; do + if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then + cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \ + sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem + fi + done ''; script = pkgs.writeScript "acme-post-start" '' #!${pkgs.runtimeShell} -e @@ -169,9 +173,9 @@ echo -n "${hashOptions}" > ${spath}/currentDomains fi + ${fix_ISRG_Root_X1} chmod ${fileMode} *.pem chown '${data.user}:${data.group}' *.pem - ${fix_ISRG_Root_X1} if [ "$KEY_CHANGED" = "yes" ]; then : # noop in case postRun is empty