search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.49k stars 13.67k forks source link

If a certificate is provisioned with DNS-01 rather than HTTP-01 challenge, nginx still creates the HTTP-01 challenge endpoint #235128

Open midnightveil opened 1 year ago

midnightveil commented 1 year ago

Describe the bug

Even though my certificates are provisioned using DNS-01 challenge, nginx still produces ./well-known/acme_challenge:

    server {
        listen 0.0.0.0:80 ;
        listen [::0]:80 ;
        server_name example.com ;
        # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
        # We use ^~ here, so that we don't check any regexes (which could
        # otherwise easily override this intended match accidentally).
        location ^~ /.well-known/acme-challenge/ {
            root /var/lib/acme/acme-challenge;
            auth_basic off;
        }
        location / {
            proxy_pass http://localhost:3255;
        }

(it's added for :443 as well)

https://github.com/NixOS/nixpkgs/blob/5521be288c7729e1653baddce52b8450dca1a4f1/nixos/modules/services/web-servers/nginx/default.nix#L365-L380

It is enabled when (vhost.enableACME || vhost.useACMEHost != null), but this is true for DNS-01 validation as well.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Setup security.acme.certs."example.com" with dnsProvider/credentialsFile as in 51.5. Configuring ACME for DNS Validation.
  2. Create a nginx virtualhost for example.com with useACMEHost = "example.com"
  3. Observe generated output.

Expected behavior

/.well-known/acme-challenge location in nginx is absent if DNS-01 verification is used.

Screenshots

n/a

Additional context

nil

Notify maintainers

@NixOS/acme

Metadata

(probably irrelevant, it's pushed with colmena)

 - system: `"aarch64-linux"`
 - host os: `Linux 6.1.27, NixOS, 23.11 (Tapir), 23.11pre489540.58c85835512`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - channels(root): `"nixos-22.11"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
m1cr0man commented 1 year ago

Hey there - just to provide an update, this is effectively a clone of #210807 . The solution is to set the acmeRoot for your virtual host(s) to null, which will force disabling of the acme-challenge directory.

We may be able to add conditional logic for this in the future. Haven't quite worked out a non-breaking scenario yet but the conditional you quoted could potentially be extended to add a check for DNS-01.

midnightveil commented 1 year ago

Hmm, setting acmeRoot = null; only seems to remove the root /var/lib/acme/acme-challenge line from the nginx configuration, not the entire location {} block.

The DNS-01 challenge & provisioning does work -- this was mostly a (minor) bug report as the HTTP-01 path is needlessly generated in the nginx config.

(I am using a wildcard cert, and not using security.acme.defaults.XXX for setting dnsProvider settings.)