Recently mk-cert-ownership-assertion.nix added assertions triggering build failure for nginx managed certs

I’m posting this in case it helps someone else, since I found the solution inside of nixpkgs PR discussion only.

Originally my config just had a line systemd.services.nginx.serviceConfig.SupplementaryGroup = [ "acme" ]; to grant nginx access to my acme certs, but after a recent update it started triggering the following error:

  error: attribute 'User' missing
       at /nix/store/n1g84klfb0h3bpwyvc59lcy5ca58h36w-source/nixos/modules/security/acme/mk-cert-ownership-assertion.nix:19:49:
           18|   message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
           19|     catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services)
             |                                                 ^
           20|   }";

After some digging I came across a PR from Nov 8, 2024. In the discussion someone mentions they ran into this problem and suggests a solution to set the group using something along the lines of the following instead:

security.acme.certs."domain".group = config.services.nginx.group;

That seemed to work for me. Hope that helps.

2 Likes

Sorry about the trouble and thanks for posting this here!
I’ll link the fix PR that’s been up and waiting for review: nixos/acme: fix cert ownership assert message by ThinkChaos · Pull Request #362271 · NixOS/nixpkgs · GitHub
I’ll post it in the ACME matrix to get traction :slight_smile:

1 Like

The PR linked above was merged, so now anyone with bad cert permissions should get a useful error!

1 Like

Thanks for fixing that!