A software engineer website

Homelab: Monthly certificate regeneration deployment issue

Gautier DI FOLCO December 03, 2023 [ops] #ops #nix #nixos #pki

I spend the most important part of the maintenance time of Barracuda (my HomeLab) regenerating mes certificates (Server and Client).

While it often takes few commands:

agebox decrypt --all --force -i @/secrets
for s in irc monitoring restic withings; do scripts/generateClientCRL.sh $s looping; done
agebox encrypt --all
deploy '.#barracuda'

(Client certificates only need their CLR to be regenerated)

It does not work for nginx.

I can import the client certificates in my browser, frenetically for refresh, I still get a 400 invalid certificate.

The issue comes from nginx, which reads certificates at startup, and, since agenix (which manages the secrets) does not change the paths when the file change, nginx configuration does not change, so nginx is not restarted, consequently my certificate is checked against the previous version (which expired).

In order to fix it, I force the secret filename to depend on file's content:

age = {
  secrets = let
    nginx = name: localPath: {
      name = "${name}-${builtins.hashFile "md5" localPath}";
      file = localPath;
      mode = "400";
      owner = "nginx";
      group = "nginx";
  in {
    ircClientCA = nginx "ircClientCA"
    ircClientCRL = nginx "ircClientCRL"
    ircServerCRT = nginx "ircServerCRT"
    ircServerKEY = nginx "ircServerKEY"

Note: I have used MD5 hashing to have to "small" filename suffix.

It's not great, and I still have to regenerate them (which takes me few minutes, but I have to enter multiples passwords, confirm multiple times, etc.).

My guess is that it would be a good use-case for HashiCorp's Vault, but it'll be the topic of a next log.