From 4ec2d441373e1115923e5258659c5a39cafcce4e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 23 Oct 2021 11:14:07 +0200 Subject: [PATCH] Fix issue in ISRG script that is not idempotent --- modules/private/certificates.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index b97d0bc..9879946 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -147,8 +147,12 @@ sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"; }; fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" '' - cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \ - sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem + for file in chain fullchain full; do + if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then + cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \ + sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem + fi + done ''; script = pkgs.writeScript "acme-post-start" '' #!${pkgs.runtimeShell} -e @@ -169,9 +173,9 @@ echo -n "${hashOptions}" > ${spath}/currentDomains fi + ${fix_ISRG_Root_X1} chmod ${fileMode} *.pem chown '${data.user}:${data.group}' *.pem - ${fix_ISRG_Root_X1} if [ "$KEY_CHANGED" = "yes" ]; then : # noop in case postRun is empty -- 2.41.0