Nixpkgs: No HTTPS after enabling ACME for nginx virtualHosts in 17.09
Issue description
When I add a virtual host with enableACME = true;, nixos-rebuild switch shows that the certificate issuing service unit fails with Dec 27 16:54:49 crow systemd[1]: acme-joseph-long.com.service: Main process exited, code=exited, status=2/INVALIDARGUMENT.
I thought it would be a good time to start using HTTPS when I threw out my old nginx config for a new virtualHosts data structure:
# Enable nginx
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."joseph-long.com" = {
serverAliases = [ "www.joseph-long.com" ];
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/srv/www";
};
};
};
However, when I nixos-rebuild switch:
building Nix...
building the system configuration...
updating GRUB 2 menu...
activating the configuration...
setting up /etc...
setting up tmpfiles
warning: the following units failed: acme-joseph-long.com.service
● acme-joseph-long.com.service - Renew ACME Certificate for joseph-long.com
Loaded: loaded (/nix/store/vn8sg33q7v4v7i116zg3bfm49z7i1ynz-unit-acme-joseph-long.com.service/acme-joseph-long.com.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-12-27 16:54:49 EST; 16ms ago
Process: 28680 ExecStopPost=/nix/store/nd1nz5gy7y6nafshgra99bpsq6zlp5gw-unit-script/bin/acme-joseph-long.com-post-stop (code=exited, status=0/SUCCESS)
Process: 28675 ExecStart=/nix/store/xrdf1jqxv5jwfv9iyqddr6sf9lj2lm18-unit-script/bin/acme-joseph-long.com-start (code=exited, status=2)
Process: 28667 ExecStartPre=/nix/store/zw9nl0iicip3bla5bxxj9bawcccaq3bx-unit-script/bin/acme-joseph-long.com-pre-start (code=exited, status=0/SUCCESS)
Main PID: 28675 (code=exited, status=2)
Dec 27 16:54:48 crow acme-joseph-long.com-start[28675]: "contact": [],
Dec 27 16:54:48 crow acme-joseph-long.com-start[28675]: "initialIp": "2001:19f0:300:33d0:5400:ff:fe1a:f2ba",
Dec 27 16:54:48 crow acme-joseph-long.com-start[28675]: "createdAt": "2017-12-27T21:54:48.784811968Z",
Dec 27 16:54:48 crow acme-joseph-long.com-start[28675]: "Status": "valid"
Dec 27 16:54:48 crow acme-joseph-long.com-start[28675]: }
Dec 27 16:54:48 crow acme-joseph-long.com-start[28675]: 2017-12-27 21:54:48,832:DEBUG:acme.client:666: Storing nonce: [...]
Dec 27 16:54:49 crow systemd[1]: acme-joseph-long.com.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Dec 27 16:54:49 crow systemd[1]: Failed to start Renew ACME Certificate for joseph-long.com.
Dec 27 16:54:49 crow systemd[1]: acme-joseph-long.com.service: Unit entered failed state.
Dec 27 16:54:49 crow systemd[1]: acme-joseph-long.com.service: Failed with result 'exit-code'.
warning: error(s) occurred while switching to the new configuration
Steps to reproduce
I don't have a spare box to test on, but I believe that adding an nginx virtualHost with enableACME = true; forceSSL = true; and rebuilding is enough.
Technical details
$ nix-shell -p nix-info --run "nix-info -m"
- system: `"x86_64-linux"`
- host os: `Linux 4.9.61, NixOS, 17.09.2033.0c5a587eeb (Hummingbird)`
- multi-user?: `yes`
- sandbox: `no`
- version: `nix-env (Nix) 1.11.15`
- channels(root): `"nixos-17.09.2033.0c5a587eeb"`
- channels(josephoenix): `""`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs`
joseph-long
All 6 comments
I realized I hadn't done nixos-rebuild switch --upgrade or that there were newer commits on 17.09.
No longer getting the above error, but not getting HTTPS.
$ curl -i https://127.0.0.1
curl: (7) Failed to connect to 127.0.0.1 port 443: Connection refused
(I checked and I have networking.firewall.allowedTCPPorts = [ 80 443 8000 8080 ];.)
joseph-long
on 27 Dec 2017
Contents of 6mvj4mlb8ldpa33wdp2i13fq6a81r3d8-nginx.conf
user nginx nginx;
error_log stderr;
daemon off;
events {
}
http {
include /nix/store/hzfvxq1g1awvzabhhzlmbgsyfxarf9f8-nginx-1.12.1/conf/mime.types;
include /nix/store/hzfvxq1g1awvzabhhzlmbgsyfxarf9f8-nginx-1.12.1/conf/fastcgi.conf;
include /nix/store/hzfvxq1g1awvzabhhzlmbgsyfxarf9f8-nginx-1.12.1/conf/uwsgi_params;
# optimisation
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;
ssl_session_cache shared:SSL:42m;
ssl_session_timeout 23m;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_comp_level 9;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_http_version 1.0;
include /nix/store/1xx57vizpzwz22b0al0cwbqv8sp9zyix-nginx-recommended-proxy-headers.conf;
# $connection_upgrade is used for websocket proxying
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
client_max_body_size 10m;
server_tokens off;
server {
listen 0.0.0.0:80 ;
listen [::]:80 ;
server_name joseph-long.com www.joseph-long.com;
location /.well-known/acme-challenge {
root /var/lib/acme/acme-challenge;
auth_basic off;
}
location / {
root /srv/www;
}
}
}
What's the output of systemctl status nginx and journalctl -eu nginx?
globin
on 28 Dec 2017
journalctl -eu nginx
Dec 27 17:45:53 crow systemd[1]: nginx.service: Current command vanished from the unit file, execution of the command list won't be resumed.
Dec 27 17:45:53 crow systemd[1]: Stopping Nginx Web Server...
Dec 27 17:46:07 crow systemd[1]: Reloading Nginx Web Server.
Dec 27 17:46:07 crow systemd[1]: Reloaded Nginx Web Server.
followed by a bunch of 404 errors
systemctl status nginx
$ systemctl status nginx
● nginx.service - Nginx Web Server
Loaded: loaded (/nix/store/gp8m84sgiansm86h9n6105dh597gj92a-unit-nginx.service/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2017-12-27 17:45:53 EST; 2h 8min ago
Process: 18551 ExecReload=/nix/store/r90xqqmd36fv3s53bf92s3vxhdnbwfn7-coreutils-8.28/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 18277 ExecStartPre=/nix/store/sg1qpd12hih1szi5l2xvq5mvxngswsq4-unit-script/bin/nginx-pre-start (code=exited, status=0/SUCCESS)
Main PID: 18282 (nginx)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/nginx.service
├─18282 nginx: master process /nix/store/hzfvxq1g1awvzabhhzlmbgsyfxarf9f8-nginx-1.12.1/bin/nginx -c /nix/store/6mvj4mlb8ldpa33wdp2i13fq6a81r3d8-nginx.conf -p /var/spool/nginx
└─18552 nginx: worker process
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *43 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/frameworks_to_remove.png" failed (2: No such file or directory),
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *45 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/disable_pch.png" failed (2: No such file or directory), client:
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *47 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/expand_targets_drawer.png" failed (2: No such file or directory)
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *48 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/remove_test_target.png" failed (2: No such file or directory), c
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *46 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/add_framework.png" failed (2: No such file or directory), client
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *44 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/copy_resources.png" failed (2: No such file or directory), clien
Dec 27 18:55:44 crow nginx[18282]: 2017/12/27 18:55:44 [error] 18552#18552: *43 open() "/srv/www/writing/sdl-2-on-os-x-mavericks/success.png" failed (2: No such file or directory), client: 80.1
Dec 27 18:55:47 crow nginx[18282]: 2017/12/27 18:55:47 [error] 18552#18552: *45 open() "/srv/www/favicon.ico" failed (2: No such file or directory), client: 80.161.174.246, server: joseph-long.
Dec 27 19:04:12 crow nginx[18282]: 2017/12/27 19:04:12 [error] 18552#18552: *50 open() "/srv/www/robots.txt" failed (2: No such file or directory), client: 194.187.170.145, server: joseph-long.
Dec 27 19:50:44 crow nginx[18282]: 2017/12/27 19:50:44 [error] 18552#18552: *62 open() "/srv/www/favicon.ico" failed (2: No such file or directory), client: 113.40.255.2, server: joseph-long.co
Ah, I just needed an addSSL for the virtualhost. Too many SSL-related options :\
joseph-long
on 28 Dec 2017
For anyone curious, the final config looked like
# Enable nginx
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."joseph-long.com" = {
serverAliases = [ "www.joseph-long.com" ];
enableACME = true;
addSSL = true;
locations."/" = {
root = "/srv/www";
};
};
};
👍3
Was this page helpful?
0 / 5 - 0 ratings
Related issues
domenkozar
·
3Comments
ayyess
·
3Comments
copumpkin
·
3Comments
tomberek
·
3Comments
edolstra
·
3Comments
Most helpful comment
For anyone curious, the final config looked like