nixos/tests/acme: Fix fullchain validation

[m1cr0man]

Blocks #331721

In the next release of Pebble, the certificate
subject is no longer populated with a useful domain name. This change will refactor the fullchain validation assertions to avoid checking the subject line.

This was tested with both pebble 2.4.0 and 2.6.0

CC @NixOS/acme

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[afh]

Result of nixpkgs-review pr 346023 run on aarch64-darwin 1

Silly me: nixos tests aren't run on darwin using nixpkgs 😅

[afh]

Thanks for putting up this PR, @m1cr0man, very much appreciated 🙏

Unfortunately my knowledge on acme in general this part of nixpkgs is too limited to confidently review this PR.
I'd appreciate more context on the underlying issue, the proposed changes, and how to test them on a nixos system. That said I'd understand if explaining takes too much time or effort and your time is elsewhere is more useful.

[flokli]

This replaces the openssl crl2pkcs7 -nocrl -certfile /var/lib/acme/{cert_name}/fullchain.pem invocation to a command only taking the first cert (everything before the first "END CERTIFICATE", and then peeks at the DNS names, rather than subject, which contains all names, including what's in the subject.

The PR comment also says why:

In the next release of Pebble, the certificate
subject is no longer populated with a useful domain name. This change will refactor the fullchain validation assertions to avoid checking the subject line.

Changes LGTM, and were tested with both pebble versions, so let's merge this!

[afh]

Thanks for the helpful context, @flokli, much appreciated.

[m1cr0man]

That's exactly right @flokli , thank you for doing the write up and merge! 🙂