From 9758aeda5d0b6fda3e1a07ddc0b992a29e340be4 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 23 Oct 2024 20:18:57 +0200 Subject: [PATCH] garage: fix wildcard DNS cert renewal with wildcard CNAME records By usind wildcard CNAME records, we make lego think it needs to validate challenges using these CNAME records. We actually want regular _acme-challenge.* records, so use a environment variable to avoid CNAME detection. This fixes DNS cert renewal. Still curious? See: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/ --- modules/garage/default.nix | 4 +- secrets/acme-namecheap-env.age | 89 +++++++++++++++++----------------- 2 files changed, 47 insertions(+), 46 deletions(-) diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 9f3dec4b..68b9bcaf 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -31,6 +31,8 @@ security.acme = { defaults = { + # LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME + # detection, as we use wildcard DNS for garage environmentFile = config.age.secrets.acme-namecheap-env.path; }; certs = { @@ -40,7 +42,6 @@ webroot = null; # enable dns challenge dnsProvider = "namecheap"; - dnsPropagationCheck = false; }; # Wildcard certificate gets created automatically "web.${config.pub-solar-os.networking.domain}" = { @@ -48,7 +49,6 @@ webroot = null; # enable dns challenge dnsProvider = "namecheap"; - dnsPropagationCheck = false; }; }; }; diff --git a/secrets/acme-namecheap-env.age b/secrets/acme-namecheap-env.age index 4a90b58f..684c30fe 100644 --- a/secrets/acme-namecheap-env.age +++ b/secrets/acme-namecheap-env.age @@ -1,47 +1,48 @@ age-encryption.org/v1 --> ssh-ed25519 NID4eA ST5vuBY34mBdhLIkNLqaIOY9Bbp34OcNCm5t39OpR1U -abFLT6kV7/nX/wSV+V/2GSCa2vOuZgCnn5edh5ixNxg --> ssh-ed25519 9RQHxg AXA6PsHeeFJh55sX5uO+HVshRlRzNxvSIGCpPChorUA -30i8zc2wjovEn0LLh8YzUupRGeQQqeMf6Mhkx2t5xhk --> ssh-ed25519 eP5MMw ZXLt8+mk1I4CtbXe7fAW69kbHViKHSmfI5N0bU738yc -lexop3bpWsTUdd3y5y0kODgKwhdOeF76Meavv/Br54M --> ssh-ed25519 uYcDNw UdYgsm2ZxtFOPXV9pnSt5d7K/hWfrg2GoVzG48ziOFc -EXvAGb9aPu3GLsjl0QXEQgVuiHKSrQaMEW0UBcQmpZA +-> ssh-ed25519 NID4eA WtfgDmnK5l9s9DMhWgmk+tel+/uqPx8SHBd0qfWY3jk +ZS3Qu4v3pnA+lYzJ3kad7T3LhcY7oE8fPsGQ1uQH1AA +-> ssh-ed25519 9RQHxg SpHG3ijNizTi1YXvZCJS79Uwt4oGkYzqIme+eqQi9AQ +GqVhyfaTF6tLwuo0vIby0vBv3JufHz59IdNX9ifWtSA +-> ssh-ed25519 eP5MMw 9uU7tlyOzOxlsW/bfUmzjgicU3i2J5uCGWEVIljnHiM +tDJdTB1rBJTXVaGFOOmtG5n2Ae0XOCsi41S0EagRmeM +-> ssh-ed25519 uYcDNw ge+lEVE8+pS/S+eO+6sPqo/czym30CJbQnhTp11NsW4 +jxL7Xhn/7JRylJ/JbeGkmhMMeJ8G2KPEKVVq1icQXKU -> ssh-rsa f5THog -r7bcUkt6dUxG5uYuLYfpfT+/DrConi8lzZwXQr/NTPc0NduG5qHktgesVpVN1Hyj -a9ziumKtnSxmhdzJESRMezkQG7fK7qpjQI99tYmIM3unjq/dg8/GTQbMKnZY57o+ -Itu0LW9MKH83Z/3Vcv3qLZmULtcsfcXqjwIr2SDOjjsMhENG4KmOzX6wOVYuSWkp -96fSGuFCy5cWrd6omfcqwQDGHd7APw6+bHwQ2rhCqkGSk+fAjJFEVgjKYowHtt+5 -sq1a7E5xZjNAETU9xw+baehMCXwSAuUdYGK5KTLtCar3c+FLPUtfapadsAR65iB5 -/uqoRLZidpFkFl1yDsboo0uq0esRSrb9xy0KXIR7XeKaEjSKKgwFeefZrQ1Z968f -opXm/rmgkh202vO2NLQfDUz81hBrW+JH6E/SmKIYGYFIauoaxmYWzpaSmq7IAfIj -2pxVyz74ryaYU9brJB/LsWc0elCcl1zo/e0OcxaLzzocDftpNk+dmYNQ5GuLFV9K -uKh9uOopqTcrSLKiQ3Jnvsj5LEltv7oJE4u2OZyR6erCpz6ZL0bb2xJ+EkRTuvq5 -2ktXvSCMOWp0j7pHDeMQaldU656w0AS9JgoOSl22euZBFC1qxwvymFYNPLAAQBTU -bojIYFtJQGv3hrCgAWSJXL5yEcVVBUQV4GU0EAelq6k +Ybod3f7gvCiBUcNyLV6AXoBchtRGspQah9JwygSGCtBKmWPOUSw3/DVva9nPVwHB +q4t05bEHINMZIoWy4l3VQ1jw+GTxW+6OeWDHrxHOG2hlu1/OT0tZnsQIjWwT/6Sg +fzy6X04yD2ADkwHH6VJYjC2Lxa7kEOeCeKOACyyab7rlXk+HauytUDlcF3Nl3nOc +JQZzfwIORU0XWVy+gDocwVqDaRJXZxhMW8oDjlU8BKgf/DpvExLfuZ9AHHJBU0Y9 +HefbTbGO1s5J0T+HEkuIDce9iPQEe8ufaSVO6tKyHpgguIAiLIkjqrdLNRmXv/y8 +9W653Xqar7fimd/sykb4K/PpdwvQcB9Ogy23t6s3Qxz5yPtC2m8IC3lgR+N+/nJO +n29QuXFBNUZu/QBXnWMS2QF09MGE2aav/CiwFuNiTf5D4UGGN3Y7XhX/KVOFJTZX +r1GLtch6rvD9RtfyKxAdbtCqbBEQJmoiut9ia5EzG4TvdPAE4XK3QNTn2BSmfjvI +3aXiXOFSbdJqkxyI6ZU2mUMMor3OWrXxWizDDYef6iHZxGlWFqA/kVXyZgdwTK9n +8Re6SYR8roH7T35eILzP4sskElN32UO/A+JyGfP1lOclGTlOrtp4HYTfY0NhhRJT +L7YIB0pNbaRxMBsxsxwU47j3qMkaO1uzP+DgpUacWJY -> ssh-rsa kFDS0A -dc3I3vVWe3V5XtUaNsIuFdes+nN7D981BPS9CdyQv/lDHf+G+KecyqeqPF1ZHq/F -emnfGZDGjemSjd5hPDLkFKQ2zmKH+qabH5s2YYH3OgQc4xtdVfuhfEH+MAgO2ajy -1PFAu9qyCXz8h30LIcXI69rILAUPrFbWGFxfAEAjV5PXdOj9BcDDpa6vafY9etVL -mQQYSIyocUkFNhYUAivXcNzQEW5RY1sJkW4184BTdNyqnjBd1QtIRryssaod3rC6 -oGfxFUoOSG0o4QtrZfoo7Re8sR5gLVZrjBsoUAihQ/PgTk69JRsmAHef63rfNHO/ -4tmQzDA2F+cj1HtPPqpyetBRoxaRmJiNy4pmEkxFh3I9YSYdWPCDm6ntXcxi6KNK -G41LzGy882EsiXeKAtX88FndEv70Ks7aXCk8RKiCJDRWUQAZhKfWN4/epZRwRupI -ESceZCAElqI1QDyFnfuvDRkgjvyCeMqRG0vvgvTQdUW/2CSADeqKe0/MwNiwWFGJ -g8jg9zZk7lT6AiqsclsmbW6hLA/+Gh8Yn7uuix57NxlNcB/MFoKVhLRlEfqSQz3O -ZeEs0aGS5Q3GB1Up5dh5ug7QiMxNyGPKtZKCfE/fcVriGV1s7mdMk/v6DBGRDZYP -cZT2eCqO4CR498DcZmEGmblzM5j5HecoIT1MRlpKGnE --> piv-p256 vRzPNw ApGjOu3qnsHn8q8MRNsM+hK8FdQa7c4mjWvBDgV6zzYr -zLZTP4agbTP96RdSDRaQE0QLCdiAw7PVgS7vqHCiOc0 --> piv-p256 zqq/iw A1RFt8g45pY/xKZHYRcrIKFWWVu1moRiEqYUNFzIMQnq -NLOrT+6BNE0Oj/RbTZ08y75o2+/Ze2iFEHU08WDkUPo --> ssh-ed25519 YFSOsg rHIQYA0LpOtjV/Qy5FvsLkICwAHny1wcRji2t+nk7Uk -yvU8CdJAvt1TUlC8GjdBWvV49UzPJsrGSdjM1SBk3KE --> ssh-ed25519 iHV63A cTbbkXP0/MCZopICjPI4FlFPNhwJUQRzfhvkQ+0tMW0 -WQYU05l05fp9WriD/DcImXpq1QxtGYt9HMCQZEvFmv4 --> ssh-ed25519 BVsyTA d/HQ6tLuyFmCbWNx2Y34f3lX7wmHkRjnXle4y7DYiC0 -TLk1E+wSdZjoNEhn6VYjVg9WUOU7Flntx0+lF4AY/kQ --> ssh-ed25519 +3V2lQ Pjkt+aKYUa9w4qELEpYc6bm2EfBPf0HhmHAXAfix3wA -zL+wczUJ632M+9PSEWTLc0UikNL1QSFyjuaKqvY8NQo ---- +CyD1ByF5fDQgtfi7NfiASk8ldY8LOJE/nOUe/JnSFE -^QlH2(B ^qa;Y[bIۡc7[YiMԑ٫)qa,Rcr^Len~w piv-p256 vRzPNw A2dcPImS0ih5CjePQP5oPrPfwns6zAMP0J72P7fyzD/A +p46umKyZjbc1MjOQGnJIRu6V99O+/PmVXQvryX/9XW4 +-> piv-p256 zqq/iw A5nBHU2O+bxsFqplf2GV6pK5wQ+hJ9l7tyFIe57QVKzw +Ik6aUY3t4geZ3yiWPqBGlBem9xNU83x7t3UA7pYB55I +-> ssh-ed25519 YFSOsg OhynWXlurzqU3ohq1ecH018Ja4wyWazDLv6isajeBUE +Xnjo8yS9IkMwCGNeLi6BABYxjXDLbpuTrVfwAxjDWdQ +-> ssh-ed25519 iHV63A 5CVIOtSwima5gIvwoAYExcy1tfOo8942RQ+SsflPbAM +4HV21GcuyddIjonOZZFgjgpR5smjce7OlMN3DCy0/sU +-> ssh-ed25519 BVsyTA mkLu2Vpr16bAZWimh6sViq5HlB1+lNOc2WPCxzgfqAg +cIDgWit139jipd7XmZcT8mTRDKK8rJV9xIxIaPVL9pM +-> ssh-ed25519 +3V2lQ eqfktAyV2Pia7T7XEfcYiHN9Jd4zivMzJk3in4XOTx0 +gZzO+MTyBOJR1EgGn4Mhh4rnIyr3N9gmlFty83ou+GU +--- yJrzTzStOkRCNRu3Y+knfqTqHrwW0S0Bsko7oG/s86o +,BgmfT`1&1%7Q(:? +jO_rqwiOD)@0ZK'+apU<`ct. XN+h='Vn^HHv5aanKDי \ No newline at end of file