enableACME without SSL can result in wrong certificate being served

[edanaher]

Issue description

While trying to figure out why my site wasn't being served by nginx (my own unrelated mistakes), I disabled SSL, but left ACME enabled. When my site did start working, I was getting an SSL error due to the certificate being on the wrong domain; specifically, the other (ACME enabled) SSL domain being served by nginx on that host.

Enabling ssl fixed this, but it was extremely confusing; I figured the NixOS ACME configuration couldn't be that broken, but it took looking at the generated nginx.conf to realize that there was no certificate listed there, so nginx was presumably falling back on any certificate it could find.

One obvious solution to this would be to have enableACME turn on enableSSL; honestly, I don't see why that's the case (and will probably submit a quick pull request for that).

Steps to reproduce

I believe the following configuration.nix should work, if the two domains are actually hosted on the server and reachable from the ACME server:

 services.nginx.virtualHosts = {
      "host1.example.com" = {
        enableACME = true;
        enableSSL = true;
        root = /does/not/exist;
        };
      "host2.example.com" = {
        enableACME = true;
        root = /does/not/exist;
        };
      };

Then visiting https:///host2.example.com should result in a certificate error.

Technical details

• System: NixOS: 16.09.1821.0cb2838 (Flounder)
• Nix version: nix-env (Nix) 1.11.7
• Nixpkgs version: 16.09.1821.0cb2838

[edanaher]

Actually, this is more complicated than I thought; AFAICT, setting enableSSL disables HTTP (surprising to me); I was using forceSSL. Unfortunately, forceSSL may cause issues bootstrapping the initial certificate (at least it seemed to in one case; I'm not positive).

Also, I'm now using letsencrypt for a mail certificate, where it's nice to be able to have the domain just serving the ACME script, and nothing else; there's no reason for that page to use SSL.

So while I still thing this is a bug, the solution is sufficiently complex that I'm not going to propose anything yet.

[fadenb]

Unfortunately, forceSSL may cause issues bootstrapping the initial certificate (at least it seemed to in one case; I'm not positive).

Can not confirm this. I use enableACME = true; and forceSSL = true; without enableSSL all the time and never had any issues getting a certificate issued.

Perhaps we should force the user to select a default vhost with services.nginx.virtualHosts.<name>.default ? It is good practice to set this anyway because it selects which certificate is used for non SNI capable clients.

[fadenb]

Wondering what @fpletz and @globin think about this?

[edanaher]

@fadenb - You're right about enableACME and forceSSL being fine for letsencrypt; on a new test, the certificate was issued, it just wasn't being served. So this ticket is just about confusing configuration options.

[globin]

See #25604 (comment) for my opinion.

[wmertens]

@edanaher I think that #27426 should have fixed the issue, can you test?

[edanaher]

Awesome! Unfortunately, I don't have time at the moment to test it, though it looks pretty straightforward. I'll go ahead and close this, and I (or someone else) can always reopen it if there are still issues.

I think the one remaining minor bit that would make me completely happy is adding a brief comment in the documentation that enableACME that it only fetches the ceritificates; it doesn't enable SSL serving on its own.