aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-23 11:14:07 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-23 11:16:24 +0200
commit4ec2d441373e1115923e5258659c5a39cafcce4e (patch)
treec5bc7136f385c0f7b4a5993f8156a2c9b58aef7c
parentad6d50d9968b271480ff68c018b12623ad553e87 (diff)
downloadNix-4ec2d441373e1115923e5258659c5a39cafcce4e.tar.gz
Nix-4ec2d441373e1115923e5258659c5a39cafcce4e.tar.zst
Nix-4ec2d441373e1115923e5258659c5a39cafcce4e.zip
Fix issue in ISRG script that is not idempotent
-rw-r--r--modules/private/certificates.nix10
1 files changed, 7 insertions, 3 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index b97d0bc..9879946 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -147,8 +147,12 @@
147 sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"; 147 sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
148 }; 148 };
149 fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" '' 149 fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
150 cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \ 150 for file in chain fullchain full; do
151 sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem 151 if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
152 cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
153 sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
154 fi
155 done
152 ''; 156 '';
153 script = pkgs.writeScript "acme-post-start" '' 157 script = pkgs.writeScript "acme-post-start" ''
154 #!${pkgs.runtimeShell} -e 158 #!${pkgs.runtimeShell} -e
@@ -169,9 +173,9 @@
169 echo -n "${hashOptions}" > ${spath}/currentDomains 173 echo -n "${hashOptions}" > ${spath}/currentDomains
170 fi 174 fi
171 175
176 ${fix_ISRG_Root_X1}
172 chmod ${fileMode} *.pem 177 chmod ${fileMode} *.pem
173 chown '${data.user}:${data.group}' *.pem 178 chown '${data.user}:${data.group}' *.pem
174 ${fix_ISRG_Root_X1}
175 179
176 if [ "$KEY_CHANGED" = "yes" ]; then 180 if [ "$KEY_CHANGED" = "yes" ]; then
177 : # noop in case postRun is empty 181 : # noop in case postRun is empty