nixos/tests/letsencrypt: Don't substitute certs

If one of the certificates of the chain gets substituted from a binary cache and the rest is generated locally it might turn out that we get invalid certificates, which in turn cause tests using this module to fail. So let's set allowSubstitutes to false for all derivations that are involved with certificate/key generation. Signed-off-by: aszlig <aszlig@nix.build>
2018-06-30 18:31:38 +02:00 · 2018-06-30 18:31:38 +02:00 · 0c7c1660f7
parent bdb0b2db44
commit 0c7c1660f7
1 changed files with 2 additions and 0 deletions
--- a/nixos/tests/common/letsencrypt.nix
+++ b/nixos/tests/common/letsencrypt.nix
@ -193,6 +193,7 @@ let

  snakeOilCa = pkgs.runCommand "snakeoil-ca" {
    buildInputs = [ pkgs.openssl ];
+    allowSubstitutes = false;
  } ''
    mkdir "$out"
    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
@ -215,6 +216,7 @@ let
    '';
  in pkgs.runCommand "snakeoil-certs-${fqdn}" {
    buildInputs = [ pkgs.openssl ];
+    allowSubstitutes = false;
  } ''
    mkdir "$out"
    openssl genrsa -out "$out/snakeoil.key" 4096