pinpox/infra
1
0
Fork 0
forked from pub-solar/infra
Code Pull requests Activity

garage: fix wildcard DNS cert renewal with wildcard

Browse source 
CNAME records

By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
This commit is contained in:
teutat3s 2024-10-23 20:18:57 +02:00
parent 0ae6bc637b
commit 9758aeda5d
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 47 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
modules/garage/default.nix
View file

@ -31,6 +31,8 @@
security.acme = { security.acme = {
defaults = { defaults = {
# LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME
# detection, as we use wildcard DNS for garage
environmentFile = config.age.secrets.acme-namecheap-env.path; environmentFile = config.age.secrets.acme-namecheap-env.path;
}; };
certs = { certs = {
@ -40,7 +42,6 @@
webroot = null; webroot = null;
# enable dns challenge # enable dns challenge
dnsProvider = "namecheap"; dnsProvider = "namecheap";
dnsPropagationCheck = false;
}; };
# Wildcard certificate gets created automatically # Wildcard certificate gets created automatically
"web.${config.pub-solar-os.networking.domain}" = { "web.${config.pub-solar-os.networking.domain}" = {
@ -48,7 +49,6 @@
webroot = null; webroot = null;
# enable dns challenge # enable dns challenge
dnsProvider = "namecheap"; dnsProvider = "namecheap";
dnsPropagationCheck = false;
}; };
}; };
}; };

89
secrets/acme-namecheap-env.age
View file

@ -1,47 +1,48 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 NID4eA ST5vuBY34mBdhLIkNLqaIOY9Bbp34OcNCm5t39OpR1U -> ssh-ed25519 NID4eA WtfgDmnK5l9s9DMhWgmk+tel+/uqPx8SHBd0qfWY3jk
abFLT6kV7/nX/wSV+V/2GSCa2vOuZgCnn5edh5ixNxg ZS3Qu4v3pnA+lYzJ3kad7T3LhcY7oE8fPsGQ1uQH1AA
-> ssh-ed25519 9RQHxg AXA6PsHeeFJh55sX5uO+HVshRlRzNxvSIGCpPChorUA -> ssh-ed25519 9RQHxg SpHG3ijNizTi1YXvZCJS79Uwt4oGkYzqIme+eqQi9AQ
30i8zc2wjovEn0LLh8YzUupRGeQQqeMf6Mhkx2t5xhk GqVhyfaTF6tLwuo0vIby0vBv3JufHz59IdNX9ifWtSA
-> ssh-ed25519 eP5MMw ZXLt8+mk1I4CtbXe7fAW69kbHViKHSmfI5N0bU738yc -> ssh-ed25519 eP5MMw 9uU7tlyOzOxlsW/bfUmzjgicU3i2J5uCGWEVIljnHiM
lexop3bpWsTUdd3y5y0kODgKwhdOeF76Meavv/Br54M tDJdTB1rBJTXVaGFOOmtG5n2Ae0XOCsi41S0EagRmeM
-> ssh-ed25519 uYcDNw UdYgsm2ZxtFOPXV9pnSt5d7K/hWfrg2GoVzG48ziOFc -> ssh-ed25519 uYcDNw ge+lEVE8+pS/S+eO+6sPqo/czym30CJbQnhTp11NsW4
EXvAGb9aPu3GLsjl0QXEQgVuiHKSrQaMEW0UBcQmpZA jxL7Xhn/7JRylJ/JbeGkmhMMeJ8G2KPEKVVq1icQXKU
-> ssh-rsa f5THog -> ssh-rsa f5THog
r7bcUkt6dUxG5uYuLYfpfT+/DrConi8lzZwXQr/NTPc0NduG5qHktgesVpVN1Hyj Ybod3f7gvCiBUcNyLV6AXoBchtRGspQah9JwygSGCtBKmWPOUSw3/DVva9nPVwHB
a9ziumKtnSxmhdzJESRMezkQG7fK7qpjQI99tYmIM3unjq/dg8/GTQbMKnZY57o+ q4t05bEHINMZIoWy4l3VQ1jw+GTxW+6OeWDHrxHOG2hlu1/OT0tZnsQIjWwT/6Sg
Itu0LW9MKH83Z/3Vcv3qLZmULtcsfcXqjwIr2SDOjjsMhENG4KmOzX6wOVYuSWkp fzy6X04yD2ADkwHH6VJYjC2Lxa7kEOeCeKOACyyab7rlXk+HauytUDlcF3Nl3nOc
96fSGuFCy5cWrd6omfcqwQDGHd7APw6+bHwQ2rhCqkGSk+fAjJFEVgjKYowHtt+5 JQZzfwIORU0XWVy+gDocwVqDaRJXZxhMW8oDjlU8BKgf/DpvExLfuZ9AHHJBU0Y9
sq1a7E5xZjNAETU9xw+baehMCXwSAuUdYGK5KTLtCar3c+FLPUtfapadsAR65iB5 HefbTbGO1s5J0T+HEkuIDce9iPQEe8ufaSVO6tKyHpgguIAiLIkjqrdLNRmXv/y8
/uqoRLZidpFkFl1yDsboo0uq0esRSrb9xy0KXIR7XeKaEjSKKgwFeefZrQ1Z968f 9W653Xqar7fimd/sykb4K/PpdwvQcB9Ogy23t6s3Qxz5yPtC2m8IC3lgR+N+/nJO
opXm/rmgkh202vO2NLQfDUz81hBrW+JH6E/SmKIYGYFIauoaxmYWzpaSmq7IAfIj n29QuXFBNUZu/QBXnWMS2QF09MGE2aav/CiwFuNiTf5D4UGGN3Y7XhX/KVOFJTZX
2pxVyz74ryaYU9brJB/LsWc0elCcl1zo/e0OcxaLzzocDftpNk+dmYNQ5GuLFV9K r1GLtch6rvD9RtfyKxAdbtCqbBEQJmoiut9ia5EzG4TvdPAE4XK3QNTn2BSmfjvI
uKh9uOopqTcrSLKiQ3Jnvsj5LEltv7oJE4u2OZyR6erCpz6ZL0bb2xJ+EkRTuvq5 3aXiXOFSbdJqkxyI6ZU2mUMMor3OWrXxWizDDYef6iHZxGlWFqA/kVXyZgdwTK9n
2ktXvSCMOWp0j7pHDeMQaldU656w0AS9JgoOSl22euZBFC1qxwvymFYNPLAAQBTU 8Re6SYR8roH7T35eILzP4sskElN32UO/A+JyGfP1lOclGTlOrtp4HYTfY0NhhRJT
bojIYFtJQGv3hrCgAWSJXL5yEcVVBUQV4GU0EAelq6k L7YIB0pNbaRxMBsxsxwU47j3qMkaO1uzP+DgpUacWJY
-> ssh-rsa kFDS0A -> ssh-rsa kFDS0A
dc3I3vVWe3V5XtUaNsIuFdes+nN7D981BPS9CdyQv/lDHf+G+KecyqeqPF1ZHq/F GJjiIApapBS6F8pmh6lblCHG3FlVWL+WKN1Gi2u/6Pa1YbkiBCgYFTQBwm5GsBMR
emnfGZDGjemSjd5hPDLkFKQ2zmKH+qabH5s2YYH3OgQc4xtdVfuhfEH+MAgO2ajy 4tQwRJcQQDGgGddIH4/QcMAl1fTYLm3N1w8rueywgAbOwaWktKnJFYTj7lS6PSNr
1PFAu9qyCXz8h30LIcXI69rILAUPrFbWGFxfAEAjV5PXdOj9BcDDpa6vafY9etVL bZyqyiGvgi0oYYSVjRnm7MmCrycuKmhcGHv1ijj5J8yOxe6qFsomsn9QZm1DmR/m
mQQYSIyocUkFNhYUAivXcNzQEW5RY1sJkW4184BTdNyqnjBd1QtIRryssaod3rC6 EZmc5DIYXjhuauzGgqtPVmjHi6hXTN8NX7Fg81aegko79yA12hmyHmaBj4P96Kqv
oGfxFUoOSG0o4QtrZfoo7Re8sR5gLVZrjBsoUAihQ/PgTk69JRsmAHef63rfNHO/ RyWZ9Moc3ccyxq74jNzp0eFuPNhUJuNBqrKozCc2Lo3KQAmoqI27THkF/HA8ECGP
4tmQzDA2F+cj1HtPPqpyetBRoxaRmJiNy4pmEkxFh3I9YSYdWPCDm6ntXcxi6KNK BJDK7JdHBXyHhf/Fc5O5xOxHieIU8tHR0LLJn7VEvQyqTlKmWkZ5J53AqE8UDmm9
G41LzGy882EsiXeKAtX88FndEv70Ks7aXCk8RKiCJDRWUQAZhKfWN4/epZRwRupI 0gY6zFh7h3SjyBwqktzGJ9zXn3bp4fpg0M1+SaYp9Qf6hkJ9k79Zth4s4ggxgvOl
ESceZCAElqI1QDyFnfuvDRkgjvyCeMqRG0vvgvTQdUW/2CSADeqKe0/MwNiwWFGJ veib2sg3PCmL1OCMPMtyW3JkKsq0J+PtJdlAC9cmVvfvAMHKy2+aADsLt0H8Cpt2
g8jg9zZk7lT6AiqsclsmbW6hLA/+Gh8Yn7uuix57NxlNcB/MFoKVhLRlEfqSQz3O cNOxbnU29eLWgG9uzcCXfqqNtmSia6LUMu71GahAuteZUV8RnDOZdCNW4U2Ohnq/
ZeEs0aGS5Q3GB1Up5dh5ug7QiMxNyGPKtZKCfE/fcVriGV1s7mdMk/v6DBGRDZYP 9znMqERVo0d3LgjaB0P3HXCCqhVFYTTDWg31R6N2RzSh7mb02CFgt7N+vHleQqAo
cZT2eCqO4CR498DcZmEGmblzM5j5HecoIT1MRlpKGnE G/6Pb+kKYSEbU884z95+o56eQrvPunCN9Vu1CjEBfG4
-> piv-p256 vRzPNw ApGjOu3qnsHn8q8MRNsM+hK8FdQa7c4mjWvBDgV6zzYr -> piv-p256 vRzPNw A2dcPImS0ih5CjePQP5oPrPfwns6zAMP0J72P7fyzD/A
zLZTP4agbTP96RdSDRaQE0QLCdiAw7PVgS7vqHCiOc0 p46umKyZjbc1MjOQGnJIRu6V99O+/PmVXQvryX/9XW4
-> piv-p256 zqq/iw A1RFt8g45pY/xKZHYRcrIKFWWVu1moRiEqYUNFzIMQnq -> piv-p256 zqq/iw A5nBHU2O+bxsFqplf2GV6pK5wQ+hJ9l7tyFIe57QVKzw
NLOrT+6BNE0Oj/RbTZ08y75o2+/Ze2iFEHU08WDkUPo Ik6aUY3t4geZ3yiWPqBGlBem9xNU83x7t3UA7pYB55I
-> ssh-ed25519 YFSOsg rHIQYA0LpOtjV/Qy5FvsLkICwAHny1wcRji2t+nk7Uk -> ssh-ed25519 YFSOsg OhynWXlurzqU3ohq1ecH018Ja4wyWazDLv6isajeBUE
yvU8CdJAvt1TUlC8GjdBWvV49UzPJsrGSdjM1SBk3KE Xnjo8yS9IkMwCGNeLi6BABYxjXDLbpuTrVfwAxjDWdQ
-> ssh-ed25519 iHV63A cTbbkXP0/MCZopICjPI4FlFPNhwJUQRzfhvkQ+0tMW0 -> ssh-ed25519 iHV63A 5CVIOtSwima5gIvwoAYExcy1tfOo8942RQ+SsflPbAM
WQYU05l05fp9WriD/DcImXpq1QxtGYt9HMCQZEvFmv4 4HV21GcuyddIjonOZZFgjgpR5smjce7OlMN3DCy0/sU
-> ssh-ed25519 BVsyTA d/HQ6tLuyFmCbWNx2Y34f3lX7wmHkRjnXle4y7DYiC0 -> ssh-ed25519 BVsyTA mkLu2Vpr16bAZWimh6sViq5HlB1+lNOc2WPCxzgfqAg
TLk1E+wSdZjoNEhn6VYjVg9WUOU7Flntx0+lF4AY/kQ cIDgWit139jipd7XmZcT8mTRDKK8rJV9xIxIaPVL9pM
-> ssh-ed25519 +3V2lQ Pjkt+aKYUa9w4qELEpYc6bm2EfBPf0HhmHAXAfix3wA -> ssh-ed25519 +3V2lQ eqfktAyV2Pia7T7XEfcYiHN9Jd4zivMzJk3in4XOTx0
zL+wczUJ632M+9PSEWTLc0UikNL1QSFyjuaKqvY8NQo gZzO+MTyBOJR1EgGn4Mhh4rnIyr3N9gmlFty83ou+GU
--- +CyD1ByF5fDQgtfi7NfiASk8ldY8LOJE/nOUe/JnSFE --- yJrzTzStOkRCNRu3Y+knfqTqHrwW0S0Bsko7oG/s86o
^QlÚH2ü¬(¢B¸ ²ŸÔÑêž^¬•¬qa;Y[bIÛ¡øcú7Çß[YŽýëÙ«)ÐðÀqa,Rcƒür<C3BC>^Le’ÈnØ~¶w<­œU†—û3ë„~n°<6E>™QS0ŽÐ«Ì ®,Bgm°þ÷€fåT¾èä`1†&1³%7Q˜(¯•¸Ÿ:?ßÝ
êÎø—æ‡ðj£ùÄO_rqwÃÏi£O®´D·)@0•ZK'óô+apU§<Ö`ºõµœctª. þ¡<C3BE>ÌXÇNæ+íŒÂh†Ù=‰'‡VÑn^HHöv±5aa²nKÝþ×