pub-solar/infra
6
1
Fork 3
Code Issues 23 Pull requests 10 Actions Packages Projects 1 Releases Wiki Activity

garage: fix wildcard DNS cert renewal with wildcard
All checks were successful
Flake checks / Check (pull_request) Successful in 20m13s
Details

Browse source 
CNAME records

By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
This commit is contained in:
teutat3s 2024-10-23 20:18:57 +02:00
parent 0ae6bc637b
commit 9758aeda5d
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 47 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
modules/garage/default.nix
View file

@ -31,6 +31,8 @@
security.acme = {
defaults = {
# LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME
# detection, as we use wildcard DNS for garage
environmentFile = config.age.secrets.acme-namecheap-env.path;
};
certs = {
@ -40,7 +42,6 @@
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
dnsPropagationCheck = false;
};
# Wildcard certificate gets created automatically
"web.${config.pub-solar-os.networking.domain}" = {
@ -48,7 +49,6 @@
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
dnsPropagationCheck = false;
};
};
};

89
secrets/acme-namecheap-env.age
View file

@ -1,47 +1,48 @@
age-encryption.org/v1
-> ssh-ed25519 NID4eA ST5vuBY34mBdhLIkNLqaIOY9Bbp34OcNCm5t39OpR1U
abFLT6kV7/nX/wSV+V/2GSCa2vOuZgCnn5edh5ixNxg
-> ssh-ed25519 9RQHxg AXA6PsHeeFJh55sX5uO+HVshRlRzNxvSIGCpPChorUA
30i8zc2wjovEn0LLh8YzUupRGeQQqeMf6Mhkx2t5xhk
-> ssh-ed25519 eP5MMw ZXLt8+mk1I4CtbXe7fAW69kbHViKHSmfI5N0bU738yc
lexop3bpWsTUdd3y5y0kODgKwhdOeF76Meavv/Br54M
-> ssh-ed25519 uYcDNw UdYgsm2ZxtFOPXV9pnSt5d7K/hWfrg2GoVzG48ziOFc
EXvAGb9aPu3GLsjl0QXEQgVuiHKSrQaMEW0UBcQmpZA
-> ssh-ed25519 NID4eA WtfgDmnK5l9s9DMhWgmk+tel+/uqPx8SHBd0qfWY3jk
ZS3Qu4v3pnA+lYzJ3kad7T3LhcY7oE8fPsGQ1uQH1AA
-> ssh-ed25519 9RQHxg SpHG3ijNizTi1YXvZCJS79Uwt4oGkYzqIme+eqQi9AQ
GqVhyfaTF6tLwuo0vIby0vBv3JufHz59IdNX9ifWtSA
-> ssh-ed25519 eP5MMw 9uU7tlyOzOxlsW/bfUmzjgicU3i2J5uCGWEVIljnHiM
tDJdTB1rBJTXVaGFOOmtG5n2Ae0XOCsi41S0EagRmeM
-> ssh-ed25519 uYcDNw ge+lEVE8+pS/S+eO+6sPqo/czym30CJbQnhTp11NsW4
jxL7Xhn/7JRylJ/JbeGkmhMMeJ8G2KPEKVVq1icQXKU
-> ssh-rsa f5THog
r7bcUkt6dUxG5uYuLYfpfT+/DrConi8lzZwXQr/NTPc0NduG5qHktgesVpVN1Hyj
a9ziumKtnSxmhdzJESRMezkQG7fK7qpjQI99tYmIM3unjq/dg8/GTQbMKnZY57o+
Itu0LW9MKH83Z/3Vcv3qLZmULtcsfcXqjwIr2SDOjjsMhENG4KmOzX6wOVYuSWkp
96fSGuFCy5cWrd6omfcqwQDGHd7APw6+bHwQ2rhCqkGSk+fAjJFEVgjKYowHtt+5
sq1a7E5xZjNAETU9xw+baehMCXwSAuUdYGK5KTLtCar3c+FLPUtfapadsAR65iB5
/uqoRLZidpFkFl1yDsboo0uq0esRSrb9xy0KXIR7XeKaEjSKKgwFeefZrQ1Z968f
opXm/rmgkh202vO2NLQfDUz81hBrW+JH6E/SmKIYGYFIauoaxmYWzpaSmq7IAfIj
2pxVyz74ryaYU9brJB/LsWc0elCcl1zo/e0OcxaLzzocDftpNk+dmYNQ5GuLFV9K
uKh9uOopqTcrSLKiQ3Jnvsj5LEltv7oJE4u2OZyR6erCpz6ZL0bb2xJ+EkRTuvq5
2ktXvSCMOWp0j7pHDeMQaldU656w0AS9JgoOSl22euZBFC1qxwvymFYNPLAAQBTU
bojIYFtJQGv3hrCgAWSJXL5yEcVVBUQV4GU0EAelq6k
Ybod3f7gvCiBUcNyLV6AXoBchtRGspQah9JwygSGCtBKmWPOUSw3/DVva9nPVwHB
q4t05bEHINMZIoWy4l3VQ1jw+GTxW+6OeWDHrxHOG2hlu1/OT0tZnsQIjWwT/6Sg
fzy6X04yD2ADkwHH6VJYjC2Lxa7kEOeCeKOACyyab7rlXk+HauytUDlcF3Nl3nOc
JQZzfwIORU0XWVy+gDocwVqDaRJXZxhMW8oDjlU8BKgf/DpvExLfuZ9AHHJBU0Y9
HefbTbGO1s5J0T+HEkuIDce9iPQEe8ufaSVO6tKyHpgguIAiLIkjqrdLNRmXv/y8
9W653Xqar7fimd/sykb4K/PpdwvQcB9Ogy23t6s3Qxz5yPtC2m8IC3lgR+N+/nJO
n29QuXFBNUZu/QBXnWMS2QF09MGE2aav/CiwFuNiTf5D4UGGN3Y7XhX/KVOFJTZX
r1GLtch6rvD9RtfyKxAdbtCqbBEQJmoiut9ia5EzG4TvdPAE4XK3QNTn2BSmfjvI
3aXiXOFSbdJqkxyI6ZU2mUMMor3OWrXxWizDDYef6iHZxGlWFqA/kVXyZgdwTK9n
8Re6SYR8roH7T35eILzP4sskElN32UO/A+JyGfP1lOclGTlOrtp4HYTfY0NhhRJT
L7YIB0pNbaRxMBsxsxwU47j3qMkaO1uzP+DgpUacWJY
-> ssh-rsa kFDS0A
dc3I3vVWe3V5XtUaNsIuFdes+nN7D981BPS9CdyQv/lDHf+G+KecyqeqPF1ZHq/F
emnfGZDGjemSjd5hPDLkFKQ2zmKH+qabH5s2YYH3OgQc4xtdVfuhfEH+MAgO2ajy
1PFAu9qyCXz8h30LIcXI69rILAUPrFbWGFxfAEAjV5PXdOj9BcDDpa6vafY9etVL
mQQYSIyocUkFNhYUAivXcNzQEW5RY1sJkW4184BTdNyqnjBd1QtIRryssaod3rC6
oGfxFUoOSG0o4QtrZfoo7Re8sR5gLVZrjBsoUAihQ/PgTk69JRsmAHef63rfNHO/
4tmQzDA2F+cj1HtPPqpyetBRoxaRmJiNy4pmEkxFh3I9YSYdWPCDm6ntXcxi6KNK
G41LzGy882EsiXeKAtX88FndEv70Ks7aXCk8RKiCJDRWUQAZhKfWN4/epZRwRupI
ESceZCAElqI1QDyFnfuvDRkgjvyCeMqRG0vvgvTQdUW/2CSADeqKe0/MwNiwWFGJ
g8jg9zZk7lT6AiqsclsmbW6hLA/+Gh8Yn7uuix57NxlNcB/MFoKVhLRlEfqSQz3O
ZeEs0aGS5Q3GB1Up5dh5ug7QiMxNyGPKtZKCfE/fcVriGV1s7mdMk/v6DBGRDZYP
cZT2eCqO4CR498DcZmEGmblzM5j5HecoIT1MRlpKGnE
-> piv-p256 vRzPNw ApGjOu3qnsHn8q8MRNsM+hK8FdQa7c4mjWvBDgV6zzYr
zLZTP4agbTP96RdSDRaQE0QLCdiAw7PVgS7vqHCiOc0
-> piv-p256 zqq/iw A1RFt8g45pY/xKZHYRcrIKFWWVu1moRiEqYUNFzIMQnq
NLOrT+6BNE0Oj/RbTZ08y75o2+/Ze2iFEHU08WDkUPo
-> ssh-ed25519 YFSOsg rHIQYA0LpOtjV/Qy5FvsLkICwAHny1wcRji2t+nk7Uk
yvU8CdJAvt1TUlC8GjdBWvV49UzPJsrGSdjM1SBk3KE
-> ssh-ed25519 iHV63A cTbbkXP0/MCZopICjPI4FlFPNhwJUQRzfhvkQ+0tMW0
WQYU05l05fp9WriD/DcImXpq1QxtGYt9HMCQZEvFmv4
-> ssh-ed25519 BVsyTA d/HQ6tLuyFmCbWNx2Y34f3lX7wmHkRjnXle4y7DYiC0
TLk1E+wSdZjoNEhn6VYjVg9WUOU7Flntx0+lF4AY/kQ
-> ssh-ed25519 +3V2lQ Pjkt+aKYUa9w4qELEpYc6bm2EfBPf0HhmHAXAfix3wA
zL+wczUJ632M+9PSEWTLc0UikNL1QSFyjuaKqvY8NQo
--- +CyD1ByF5fDQgtfi7NfiASk8ldY8LOJE/nOUe/JnSFE
^QlÚH2ü¬(¢B¸ ²ŸÔÑêž^¬•¬qa;Y[bIÛ¡øcú7Çß[YŽýëÙ«)ÐðÀqa,Rcƒür<C3BC>^Le’ÈnØ~¶w<­œU†—û3ë„~n°<6E>™QS0ŽÐ«Ì
GJjiIApapBS6F8pmh6lblCHG3FlVWL+WKN1Gi2u/6Pa1YbkiBCgYFTQBwm5GsBMR
4tQwRJcQQDGgGddIH4/QcMAl1fTYLm3N1w8rueywgAbOwaWktKnJFYTj7lS6PSNr
bZyqyiGvgi0oYYSVjRnm7MmCrycuKmhcGHv1ijj5J8yOxe6qFsomsn9QZm1DmR/m
EZmc5DIYXjhuauzGgqtPVmjHi6hXTN8NX7Fg81aegko79yA12hmyHmaBj4P96Kqv
RyWZ9Moc3ccyxq74jNzp0eFuPNhUJuNBqrKozCc2Lo3KQAmoqI27THkF/HA8ECGP
BJDK7JdHBXyHhf/Fc5O5xOxHieIU8tHR0LLJn7VEvQyqTlKmWkZ5J53AqE8UDmm9
0gY6zFh7h3SjyBwqktzGJ9zXn3bp4fpg0M1+SaYp9Qf6hkJ9k79Zth4s4ggxgvOl
veib2sg3PCmL1OCMPMtyW3JkKsq0J+PtJdlAC9cmVvfvAMHKy2+aADsLt0H8Cpt2
cNOxbnU29eLWgG9uzcCXfqqNtmSia6LUMu71GahAuteZUV8RnDOZdCNW4U2Ohnq/
9znMqERVo0d3LgjaB0P3HXCCqhVFYTTDWg31R6N2RzSh7mb02CFgt7N+vHleQqAo
G/6Pb+kKYSEbU884z95+o56eQrvPunCN9Vu1CjEBfG4
-> piv-p256 vRzPNw A2dcPImS0ih5CjePQP5oPrPfwns6zAMP0J72P7fyzD/A
p46umKyZjbc1MjOQGnJIRu6V99O+/PmVXQvryX/9XW4
-> piv-p256 zqq/iw A5nBHU2O+bxsFqplf2GV6pK5wQ+hJ9l7tyFIe57QVKzw
Ik6aUY3t4geZ3yiWPqBGlBem9xNU83x7t3UA7pYB55I
-> ssh-ed25519 YFSOsg OhynWXlurzqU3ohq1ecH018Ja4wyWazDLv6isajeBUE
Xnjo8yS9IkMwCGNeLi6BABYxjXDLbpuTrVfwAxjDWdQ
-> ssh-ed25519 iHV63A 5CVIOtSwima5gIvwoAYExcy1tfOo8942RQ+SsflPbAM
4HV21GcuyddIjonOZZFgjgpR5smjce7OlMN3DCy0/sU
-> ssh-ed25519 BVsyTA mkLu2Vpr16bAZWimh6sViq5HlB1+lNOc2WPCxzgfqAg
cIDgWit139jipd7XmZcT8mTRDKK8rJV9xIxIaPVL9pM
-> ssh-ed25519 +3V2lQ eqfktAyV2Pia7T7XEfcYiHN9Jd4zivMzJk3in4XOTx0
gZzO+MTyBOJR1EgGn4Mhh4rnIyr3N9gmlFty83ou+GU
--- yJrzTzStOkRCNRu3Y+knfqTqHrwW0S0Bsko7oG/s86o
®,Bgm°þ÷€fåT¾èä`1†&1³%7Q˜(¯•¸Ÿ:?ßÝ
êÎø—æ‡ðj£ùÄO_rqwÃÏi£O®´D·)@0•ZK'óô+apU§<Ö`ºõµœctª. þ¡<C3BE>ÌXÇNæ+íŒÂh†Ù=‰'‡VÑn^HHöv±5aa²nKÝþ×