More user-friendly ACME failure warnings

[ghost]

Describe the bug

I have seen quite a few users get confused by the output of nixos-rebuild switch when an ACME certificate renewal fails.

warning: error(s) [...]

To Reproduce
Steps to reproduce the behavior:

1. set up enableACME for a host that doesn't point to the hosts IP (yet)
2. nixos-rebuild switch

Expected behavior
The user should be informed that the ACME renewal was not successful, but that self-signed certs are deployed until a renewal is possible, and that all other services were started successfully.

Screenshots

building Nix...                                                                                                   
building the system configuration...                     
these derivations will be built:                                                                                                                                                                                                     
  /nix/store/0mqaznwfvw8gjpcjk3wmq3qxipgm3zdy-nixos-system-web-2-21.03pre257780.e9158eca70a.drv                                                                                                                                      
building '/nix/store/0mqaznwfvw8gjpcjk3wmq3qxipgm3zdy-nixos-system-web-2-21.03pre257780.e9158eca70a.drv'...                                                                                                                          
copying 3 paths...                                                                                                
copying path '/nix/store/mclzskymizcc71b3m1s53lx66jjd5ybb-grub-config.xml' to 'ssh://clerie@web-2.net.clerie.de'...                                                                                                                  
copying path '/nix/store/jg4c7cv8qjgw12dqy5r2s6kcxq1h4m6g-install-grub.sh' to 'ssh://clerie@web-2.net.clerie.de'...                                                                                                                  
copying path '/nix/store/h761y5waw17im92vs4h77yaqqizlvlyf-nixos-system-web-2-21.03pre257780.e9158eca70a' to 'ssh://clerie@web-2.net.clerie.de'...
updating GRUB 2 menu...                                  
activating the configuration...                          
setting up /etc...                                       
reloading user units for clerie...                       
setting up tmpfiles                                      
reloading the following units: dbus.service                                                                       
restarting the following units: nginx.service            
the following new units were started: acme-bubblesort.clerie.de.timer, acme-fixperms.service                      
warning: the following units failed: acme-bubblesort.clerie.de.service                                            

● acme-bubblesort.clerie.de.service - Renew ACME certificate for bubblesort.clerie.de                             
     Loaded: loaded (/nix/store/9wq1lkflhilxd47ky15gjqv1davdfn1h-unit-acme-bubblesort.clerie.de.service/acme-bubblesort.clerie.de.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2021-01-02 17:57:22 CET; 198ms ago                              
TriggeredBy: ● acme-bubblesort.clerie.de.timer           
    Process: 1179 ExecStart=/nix/store/hyiqma814sj8zh00fj09c26j6ipgrnsq-unit-script-acme-bubblesort.clerie.de-start/bin/acme-bubblesort.clerie.de-start (code=exited, status=1/FAILURE)
   Main PID: 1179 (code=exited, status=1/FAILURE)        
         IP: 15.9K in, 7.9K out                          
        CPU: 166ms                                       

Jan 02 17:57:16 web-2 acme-bubblesort.clerie.de-start[1180]: 2021/01/02 17:57:16 [INFO] [bubblesort.clerie.de] acme: Trying to solve HTTP-01
Jan 02 17:57:22 web-2 acme-bubblesort.clerie.de-start[1180]: 2021/01/02 17:57:22 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9767801138
Jan 02 17:57:22 web-2 acme-bubblesort.clerie.de-start[1180]: 2021/01/02 17:57:22 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9767801138
Jan 02 17:57:22 web-2 acme-bubblesort.clerie.de-start[1180]: 2021/01/02 17:57:22 Could not obtain certificates:   
Jan 02 17:57:22 web-2 acme-bubblesort.clerie.de-start[1180]:         error: one or more domains had a problem:    
Jan 02 17:57:22 web-2 acme-bubblesort.clerie.de-start[1180]: [bubblesort.clerie.de] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://bubblesort.clerie.de/.well-known/acme-challenge/Bh5F
Yw5TncSgkBsLRrpyIL48mUzymEINC6VO39sw2pA [2a01:4f8:c0c:99ae::1]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", url:
Jan 02 17:57:22 web-2 systemd[1]: acme-bubblesort.clerie.de.service: Main process exited, code=exited, status=1/FAILURE
Jan 02 17:57:22 web-2 systemd[1]: acme-bubblesort.clerie.de.service: Failed with result 'exit-code'.              
Jan 02 17:57:22 web-2 systemd[1]: Failed to start Renew ACME certificate for bubblesort.clerie.de.                
Jan 02 17:57:22 web-2 systemd[1]: acme-bubblesort.clerie.de.service: Consumed 166ms CPU time, received 15.8K IP traffic, sent 7.9K IP traffic.
warning: error(s) occurred while switching to the new configuration

Additional context
Many people expect something to be seriously wrong when a tool tells them that an "error" occured. Some people are not able to differentiate what has failed and what went fine from the current output.

Notify maintainers

Metadata
N/A / happens on every version

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
- security/acme

[stale]

I marked this as stale due to inactivity. → More info