Security.acme.certs module trips up on domain names

dbalan · October 30, 2023, 4:15pm

I have following on my configuration

users.users.nginx.extraGroups = [ "acme" ];
  services.nginx = {
    enable = true;
    virtualHosts."0xcat.dev" = {
      enableACME = true;
      forceSSL = true;

      locations."/.well-known/acme-challenge" = {
        root = "/var/lib/acme/.challenges";
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@0xcat.dev";
  };

  security.acme.certs."0xcat.dev" = {
    webroot = "/var/lib/acme/.challenges";
    email = "acme@0xcat.dev";
    group = "nginx";
  };

But this generates an error that webroot is not set.

Longer error is below:

       error:
       Failed assertions:
       - Exactly one of the options
       `security.acme.certs.0xcat.dev.dnsProvider`,
       `security.acme.certs.0xcat.dev.webroot`,
       `security.acme.certs.0xcat.dev.listenHTTP` and
       `security.acme.certs.0xcat.dev.s3Bucket`
       is required.

I have a hunch that the check is somehow tripping on “0x” prefix of the domain name, but not sure.

This is on nixpkgs version

"nixpkgs": {
      "locked": {
        "lastModified": 1696019113,
        "narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },

dbalan · October 30, 2023, 4:22pm

nvm: It is nixos/acme: fix assertion, add actual values to message (#263543) · NixOS/nixpkgs@5438b83 · GitHub, and has been fixed upstream.