From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 27 03:26:35 2017 Received: (at submit) by debbugs.gnu.org; 27 Nov 2017 08:26:35 +0000 Received: from localhost ([127.0.0.1]:60004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJEkM-0000qy-UE for submit@debbugs.gnu.org; Mon, 27 Nov 2017 03:26:35 -0500 Received: from eggs.gnu.org ([208.118.235.92]:43030) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJEkL-0000qi-JF for submit@debbugs.gnu.org; Mon, 27 Nov 2017 03:26:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJEkF-0004IR-Ka for submit@debbugs.gnu.org; Mon, 27 Nov 2017 03:26:28 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:56210) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJEkF-0004IM-He for submit@debbugs.gnu.org; Mon, 27 Nov 2017 03:26:27 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33977) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJEkE-0006Nc-Kt for guix-patches@gnu.org; Mon, 27 Nov 2017 03:26:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJEk9-0004GZ-NL for guix-patches@gnu.org; Mon, 27 Nov 2017 03:26:26 -0500 Received: from mira.cbaines.net ([2a01:7e00::f03c:91ff:fe69:8da9]:39411) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJEk9-0004GV-H4 for guix-patches@gnu.org; Mon, 27 Nov 2017 03:26:21 -0500 Received: by mira.cbaines.net (Postfix, from userid 113) id 20C4A13E81A; Mon, 27 Nov 2017 08:26:21 +0000 (GMT) Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net [86.27.34.15]) by mira.cbaines.net (Postfix) with ESMTPSA id F3A2B13E819 for ; Mon, 27 Nov 2017 08:26:20 +0000 (GMT) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id f8f28f6b for ; Mon, 27 Nov 2017 08:26:20 +0000 (UTC) From: Christopher Baines To: guix-patches@gnu.org Subject: [PATCH] web: Don't error about missing ssl related files. Date: Mon, 27 Nov 2017 08:26:20 +0000 Message-Id: <20171127082620.19237-1-mail@cbaines.net> X-Mailer: git-send-email 2.14.2 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Erroring here prevents doing things like building a system using nginx on a different machine from where it's intended to be deployed, or creating containers and VMs that use the ssl-certificate parts of the nginx configuration, without also getting these files to exist. * gnu/services/web.scm (emit-nginx-server-config): Don't error on missing ssl related files. --- gnu/services/web.scm | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 9d713003c..1af32278c 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -191,16 +191,6 @@ of index files." (syntax-parameterize ((<> (identifier-syntax x*))) (list tail ...)) '()))) - (for-each - (match-lambda - ((record-key . file) - (if (and file (not (file-exists? file))) - (error - (simple-format - #f - "~A in the nginx configuration for the server with name \"~A\" does not exist" record-key server-name))))) - `(("ssl-certificate" . ,ssl-certificate) - ("ssl-certificate-key" . ,ssl-certificate-key))) (list " server {\n" (and/l http-port " listen " (number->string <>) ";\n") -- 2.14.2 From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 27 04:23:05 2017 Received: (at submit) by debbugs.gnu.org; 27 Nov 2017 09:23:05 +0000 Received: from localhost ([127.0.0.1]:60071 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJFd3-0002GT-2t for submit@debbugs.gnu.org; Mon, 27 Nov 2017 04:23:05 -0500 Received: from eggs.gnu.org ([208.118.235.92]:36680) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJFd1-0002Fk-Iq for submit@debbugs.gnu.org; Mon, 27 Nov 2017 04:23:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJFcv-0006Fl-M5 for submit@debbugs.gnu.org; Mon, 27 Nov 2017 04:22:58 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:46343) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJFcv-0006Fa-IB for submit@debbugs.gnu.org; Mon, 27 Nov 2017 04:22:57 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55873) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJFcu-0006LL-CS for guix-patches@gnu.org; Mon, 27 Nov 2017 04:22:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJFcq-0006Br-6S for guix-patches@gnu.org; Mon, 27 Nov 2017 04:22:56 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:37424) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJFcp-0006AD-Sm for guix-patches@gnu.org; Mon, 27 Nov 2017 04:22:52 -0500 Received: from webmail.lepiller.eu (static-176-182-42-79.ncc.abo.bbox.fr [176.182.42.79]) by lepiller.eu (OpenSMTPD) with ESMTPSA id 05178843 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Mon, 27 Nov 2017 09:25:16 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 27 Nov 2017 10:22:48 +0100 From: julien lepiller To: guix-patches@gnu.org Subject: Re: [bug#29467] [PATCH] web: Don't error about missing ssl related files. In-Reply-To: <20171127082620.19237-1-mail@cbaines.net> References: <20171127082620.19237-1-mail@cbaines.net> Message-ID: <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> X-Sender: julien@lepiller.eu User-Agent: Roundcube Webmail/1.3.3 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Le 2017-11-27 09:26, Christopher Baines a écrit : > Erroring here prevents doing things like building a system using nginx > on a > different machine from where it's intended to be deployed, or creating > containers and VMs that use the ssl-certificate parts of the nginx > configuration, without also getting these files to exist. > > * gnu/services/web.scm (emit-nginx-server-config): Don't error on > missing ssl > related files. > --- > gnu/services/web.scm | 10 ---------- > 1 file changed, 10 deletions(-) > > diff --git a/gnu/services/web.scm b/gnu/services/web.scm > index 9d713003c..1af32278c 100644 > --- a/gnu/services/web.scm > +++ b/gnu/services/web.scm > @@ -191,16 +191,6 @@ of index files." > (syntax-parameterize ((<> (identifier-syntax x*))) > (list tail ...)) > '()))) > - (for-each > - (match-lambda > - ((record-key . file) > - (if (and file (not (file-exists? file))) > - (error > - (simple-format > - #f > - "~A in the nginx configuration for the server with name > \"~A\" does not exist" record-key server-name))))) > - `(("ssl-certificate" . ,ssl-certificate) > - ("ssl-certificate-key" . ,ssl-certificate-key))) > (list > " server {\n" > (and/l http-port " listen " (number->string <>) ";\n") Hi, when configuring nginx for the first time, users will probably forget to configure ssl properly. The default is to enable ssl and find certificates in /etc/nginx. When these files don't exist, nginx will fail to start and at least one user complained it was hard to debug. This code was introduced to prevent such a mistake. Maybe we should set the default to #f (but then users would have to configure more fields to enable https). Maybe we should add a configuration option like warn-only? (default to #f) to only warn about missing files. Or maybe there's a way to show nginx that another service is providing that file? I agree there is an issue, but your patch feels like a regression to me for the documented use-cases. WDYT? From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 05 06:14:20 2017 Received: (at 29467) by debbugs.gnu.org; 5 Dec 2017 11:14:20 +0000 Received: from localhost ([127.0.0.1]:46455 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMBB6-0002eq-78 for submit@debbugs.gnu.org; Tue, 05 Dec 2017 06:14:20 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:45595) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMBB3-0002eh-Ov for 29467@debbugs.gnu.org; Tue, 05 Dec 2017 06:14:18 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 1C6F210169; Tue, 5 Dec 2017 12:14:20 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zakYO4mMuOhc; Tue, 5 Dec 2017 12:14:16 +0100 (CET) Received: from ribbon (unknown [193.50.110.211]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 582E21003E; Tue, 5 Dec 2017 12:14:16 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: julien lepiller Subject: Re: [bug#29467] [PATCH] web: Don't error about missing ssl related files. References: <20171127082620.19237-1-mail@cbaines.net> <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> Date: Tue, 05 Dec 2017 12:14:12 +0100 In-Reply-To: <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> (julien lepiller's message of "Mon, 27 Nov 2017 10:22:48 +0100") Message-ID: <87vahlctq3.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29467 Cc: 29467@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hi, julien lepiller skribis: > Le 2017-11-27 09:26, Christopher Baines a =C3=A9crit=C2=A0: >> Erroring here prevents doing things like building a system using >> nginx on a >> different machine from where it's intended to be deployed, or creating >> containers and VMs that use the ssl-certificate parts of the nginx >> configuration, without also getting these files to exist. >> >> * gnu/services/web.scm (emit-nginx-server-config): Don't error on >> missing ssl >> related files. >> --- >> gnu/services/web.scm | 10 ---------- >> 1 file changed, 10 deletions(-) >> >> diff --git a/gnu/services/web.scm b/gnu/services/web.scm >> index 9d713003c..1af32278c 100644 >> --- a/gnu/services/web.scm >> +++ b/gnu/services/web.scm >> @@ -191,16 +191,6 @@ of index files." >> (syntax-parameterize ((<> (identifier-syntax x*))) >> (list tail ...)) >> '()))) >> - (for-each >> - (match-lambda >> - ((record-key . file) >> - (if (and file (not (file-exists? file))) There=E2=80=99s another problem: =E2=80=98file-exists?=E2=80=99 checks the = current machine, under the current root file system. That check doesn=E2=80=99t work if you= do =E2=80=9Cguix system init config.scm /some/other/root=E2=80=9D, or if you c= reate a container, or with the envisioned =E2=80=9Cguix system reconfigure --remote= =E2=80=9D. > Hi, when configuring nginx for the first time, users will probably > forget to > configure ssl properly. The default is to enable ssl and find > certificates in > /etc/nginx. When these files don't exist, nginx will fail to start and > at least > one user complained it was hard to debug. This code was introduced to > prevent > such a mistake. Yes, I agree that it=E2=80=99s nice to have early error reports. > Maybe we should set the default to #f (but then users would have to > configure > more fields to enable https). Maybe we should add a configuration > option like > warn-only? (default to #f) to only warn about missing files. Or maybe > there's > a way to show nginx that another service is providing that file? Good questions. We cannot check for file existence at configuration time for the reasons above. We cannot check for file existence at build time because certificates may be part of the machine=E2=80=99s state; they are typically managed in a stateful fashion, outside of GuixSD. So the only option we=E2=80=99re left with is checking at run time, when we start the service. But that=E2=80=99s something nginx already does, I thin= k? As for the default, I would be in favor of setting it to #f, because I can=E2=80=99t really think of a default that would work for everyone. WDYT? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 05 06:23:43 2017 Received: (at 29467) by debbugs.gnu.org; 5 Dec 2017 11:23:43 +0000 Received: from localhost ([127.0.0.1]:46462 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMBKB-0002sK-7C for submit@debbugs.gnu.org; Tue, 05 Dec 2017 06:23:43 -0500 Received: from lepiller.eu ([89.234.186.109]:60742) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMBK9-0002sA-Cz for 29467@debbugs.gnu.org; Tue, 05 Dec 2017 06:23:42 -0500 Received: from webmail.lepiller.eu (static-176-182-42-79.ncc.abo.bbox.fr [176.182.42.79]) by lepiller.eu (OpenSMTPD) with ESMTPSA id 3381450f (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for <29467@debbugs.gnu.org>; Tue, 5 Dec 2017 11:26:23 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Tue, 05 Dec 2017 12:23:39 +0100 From: julien lepiller To: 29467@debbugs.gnu.org Subject: Re: [bug#29467] [PATCH] web: Don't error about missing ssl related files. In-Reply-To: <87vahlctq3.fsf@gnu.org> References: <20171127082620.19237-1-mail@cbaines.net> <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> <87vahlctq3.fsf@gnu.org> Message-ID: X-Sender: julien@lepiller.eu User-Agent: Roundcube Webmail/1.3.3 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 29467 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Le 2017-12-05 12:14, ludo@gnu.org a écrit : > Hi, > > julien lepiller skribis: > >> Le 2017-11-27 09:26, Christopher Baines a écrit : >>> Erroring here prevents doing things like building a system using >>> nginx on a >>> different machine from where it's intended to be deployed, or >>> creating >>> containers and VMs that use the ssl-certificate parts of the nginx >>> configuration, without also getting these files to exist. >>> >>> * gnu/services/web.scm (emit-nginx-server-config): Don't error on >>> missing ssl >>> related files. >>> --- >>> gnu/services/web.scm | 10 ---------- >>> 1 file changed, 10 deletions(-) >>> >>> diff --git a/gnu/services/web.scm b/gnu/services/web.scm >>> index 9d713003c..1af32278c 100644 >>> --- a/gnu/services/web.scm >>> +++ b/gnu/services/web.scm >>> @@ -191,16 +191,6 @@ of index files." >>> (syntax-parameterize ((<> (identifier-syntax x*))) >>> (list tail ...)) >>> '()))) >>> - (for-each >>> - (match-lambda >>> - ((record-key . file) >>> - (if (and file (not (file-exists? file))) > > There’s another problem: ‘file-exists?’ checks the current machine, > under the current root file system. That check doesn’t work if you do > “guix system init config.scm /some/other/root”, or if you create a > container, or with the envisioned “guix system reconfigure --remote”. > >> Hi, when configuring nginx for the first time, users will probably >> forget to >> configure ssl properly. The default is to enable ssl and find >> certificates in >> /etc/nginx. When these files don't exist, nginx will fail to start and >> at least >> one user complained it was hard to debug. This code was introduced to >> prevent >> such a mistake. > > Yes, I agree that it’s nice to have early error reports. > >> Maybe we should set the default to #f (but then users would have to >> configure >> more fields to enable https). Maybe we should add a configuration >> option like >> warn-only? (default to #f) to only warn about missing files. Or maybe >> there's >> a way to show nginx that another service is providing that file? > > Good questions. > > We cannot check for file existence at configuration time for the > reasons > above. > > We cannot check for file existence at build time because certificates > may be part of the machine’s state; they are typically managed in a > stateful fashion, outside of GuixSD. > > So the only option we’re left with is checking at run time, when we > start the service. But that’s something nginx already does, I think? > > As for the default, I would be in favor of setting it to #f, because I > can’t really think of a default that would work for everyone. > > WDYT? Having it default to #f is fine with me. Nginx does this check at runtime and will refuse to start if these files are missing. Keeping https-port to 443 and certificates to #f means it will not be able to establish a connection to the client, but the http website will be available. So just setting the key and the certificate to #f by default should be OK. > > Ludo’. From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 08 04:41:40 2017 Received: (at 29467) by debbugs.gnu.org; 8 Dec 2017 09:41:40 +0000 Received: from localhost ([127.0.0.1]:51341 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNFA3-0008MV-OX for submit@debbugs.gnu.org; Fri, 08 Dec 2017 04:41:39 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:56033) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNFA2-0008MN-4w for 29467@debbugs.gnu.org; Fri, 08 Dec 2017 04:41:38 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id BAFEF10312; Fri, 8 Dec 2017 10:41:40 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhvquxpZktb8; Fri, 8 Dec 2017 10:41:40 +0100 (CET) Received: from ribbon (nat-eduroam-36-gw-01-bso.bordeaux.inria.fr [194.199.1.36]) by hera.aquilenet.fr (Postfix) with ESMTPSA id E4249FBD2; Fri, 8 Dec 2017 10:41:39 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: julien lepiller Subject: Re: [bug#29467] [PATCH] web: Don't error about missing ssl related files. References: <20171127082620.19237-1-mail@cbaines.net> <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> <87vahlctq3.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 18 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 08 Dec 2017 10:41:36 +0100 In-Reply-To: (julien lepiller's message of "Tue, 05 Dec 2017 12:23:39 +0100") Message-ID: <87374l36b3.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29467 Cc: Christopher Baines , 29467@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hi, julien lepiller skribis: > Le 2017-12-05 12:14, ludo@gnu.org a =C3=A9crit=C2=A0: [...] >> We cannot check for file existence at configuration time for the >> reasons >> above. >> >> We cannot check for file existence at build time because certificates >> may be part of the machine=E2=80=99s state; they are typically managed i= n a >> stateful fashion, outside of GuixSD. >> >> So the only option we=E2=80=99re left with is checking at run time, when= we >> start the service. But that=E2=80=99s something nginx already does, I t= hink? >> >> As for the default, I would be in favor of setting it to #f, because I >> can=E2=80=99t really think of a default that would work for everyone. >> >> WDYT? > > Having it default to #f is fine with me. Nginx does this check at > runtime > and will refuse to start if these files are missing. Keeping https-port > to 443 and certificates to #f means it will not be able to establish a > connection to the client, but the http website will be available. So > just > setting the key and the certificate to #f by default should be OK. OK, sounds good. Chris, can you make this change? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 09 04:31:18 2017 Received: (at 29467) by debbugs.gnu.org; 9 Dec 2017 09:31:18 +0000 Received: from localhost ([127.0.0.1]:53129 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNbTZ-0000l9-Su for submit@debbugs.gnu.org; Sat, 09 Dec 2017 04:31:18 -0500 Received: from li622-129.members.linode.com ([212.71.249.129]:56058 helo=mira.cbaines.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNbTY-0000kv-3h for 29467@debbugs.gnu.org; Sat, 09 Dec 2017 04:31:16 -0500 Received: by mira.cbaines.net (Postfix, from userid 113) id 4E91713E8A3; Sat, 9 Dec 2017 09:31:15 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net [86.27.34.15]) by mira.cbaines.net (Postfix) with ESMTPSA id 255C813E8A3 for <29467@debbugs.gnu.org>; Sat, 9 Dec 2017 09:31:15 +0000 (GMT) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id a3245f89 for <29467@debbugs.gnu.org>; Sat, 9 Dec 2017 09:31:14 +0000 (UTC) From: Christopher Baines To: 29467@debbugs.gnu.org Subject: [PATCH 1/2] web: Don't error about missing ssl related files. Date: Sat, 9 Dec 2017 09:31:13 +0000 Message-Id: <20171209093114.5112-1-mail@cbaines.net> X-Mailer: git-send-email 2.14.2 In-Reply-To: <87374l36b3.fsf@gnu.org> References: <87374l36b3.fsf@gnu.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 29467 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Erroring here prevents doing things like building a system using nginx on a different machine from where it's intended to be deployed, or creating containers and VMs that use the ssl-certificate parts of the nginx configuration, without also getting these files to exist. * gnu/services/web.scm (emit-nginx-server-config): Don't error on missing ssl related files. --- gnu/services/web.scm | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 9d713003c..1af32278c 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -191,16 +191,6 @@ of index files." (syntax-parameterize ((<> (identifier-syntax x*))) (list tail ...)) '()))) - (for-each - (match-lambda - ((record-key . file) - (if (and file (not (file-exists? file))) - (error - (simple-format - #f - "~A in the nginx configuration for the server with name \"~A\" does not exist" record-key server-name))))) - `(("ssl-certificate" . ,ssl-certificate) - ("ssl-certificate-key" . ,ssl-certificate-key))) (list " server {\n" (and/l http-port " listen " (number->string <>) ";\n") -- 2.14.2 From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 09 04:31:18 2017 Received: (at 29467) by debbugs.gnu.org; 9 Dec 2017 09:31:18 +0000 Received: from localhost ([127.0.0.1]:53131 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNbTa-0000lB-3Z for submit@debbugs.gnu.org; Sat, 09 Dec 2017 04:31:18 -0500 Received: from li622-129.members.linode.com ([212.71.249.129]:56060 helo=mira.cbaines.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNbTY-0000kw-3h for 29467@debbugs.gnu.org; Sat, 09 Dec 2017 04:31:16 -0500 Received: by mira.cbaines.net (Postfix, from userid 113) id 77F9313E8A5; Sat, 9 Dec 2017 09:31:15 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net [86.27.34.15]) by mira.cbaines.net (Postfix) with ESMTPSA id 391D013E8A4 for <29467@debbugs.gnu.org>; Sat, 9 Dec 2017 09:31:15 +0000 (GMT) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id f0a0fa38 for <29467@debbugs.gnu.org>; Sat, 9 Dec 2017 09:31:14 +0000 (UTC) From: Christopher Baines To: 29467@debbugs.gnu.org Subject: [PATCH 2/2] services: web: Remove default certificate and key files for nginx. Date: Sat, 9 Dec 2017 09:31:14 +0000 Message-Id: <20171209093114.5112-2-mail@cbaines.net> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20171209093114.5112-1-mail@cbaines.net> References: <87374l36b3.fsf@gnu.org> <20171209093114.5112-1-mail@cbaines.net> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 29467 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) If nginx is configured with a ssl-certificate file, and ssl-certificate-key, it will fail to start unless these exist. To avoid this happening, change the default to #f. * gnu/services/web.scm () [ssl-certificate,ssl-certificate-key]: Set the defaults to #f. * gnu/tests/web.scm (%nginx-servers): Remove redundant nginx-server-configuration fields. * doc/guix.texi (Web Services): Update examples and documentation. --- doc/guix.texi | 20 ++++---------------- gnu/services/web.scm | 4 ++-- gnu/tests/web.scm | 5 +---- 3 files changed, 7 insertions(+), 22 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 23ccfa2f6..35f895bb4 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14813,10 +14813,7 @@ A simple example configuration is given below. (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) - (root "/srv/http/www.example.com") - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f)))))) + (root "/srv/http/www.example.com")))))) @end example In addition to adding server blocks to the service configuration @@ -14826,9 +14823,6 @@ blocks, as in this example: @example (simple-service 'my-extra-server nginx-service-type (list (nginx-server-configuration - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f) (root "/srv/http/extra-website") (try-files (list "$uri" "$uri/index.html"))))) @end example @@ -14873,10 +14867,7 @@ HTTPS. (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) - (root "/srv/http/www.example.com") - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f)))))) + (root "/srv/http/www.example.com")))))) @end example @item @code{upstream-blocks} (default: @code{'()}) @@ -14899,9 +14890,6 @@ requests with two servers. (list (nginx-server-configuration (server-name '("www.example.com")) (root "/srv/http/www.example.com") - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f) (locations (list (nginx-location-configuration @@ -14965,11 +14953,11 @@ Nginx will send the list of files in the directory. A list of files whose existence is checked in the specified order. @code{nginx} will use the first file it finds to process the request. -@item @code{ssl-certificate} (default: @code{"/etc/nginx/cert.pem"}) +@item @code{ssl-certificate} (default: @code{#f}) Where to find the certificate for secure connections. Set it to @code{#f} if you don't have a certificate or you don't want to use HTTPS. -@item @code{ssl-certificate-key} (default: @code{"/etc/nginx/key.pem"}) +@item @code{ssl-certificate-key} (default: @code{#f}) Where to find the private key for secure connections. Set it to @code{#f} if you don't have a key or you don't want to use HTTPS. diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 1af32278c..51cd9da1d 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -102,9 +102,9 @@ (try-files nginx-server-configuration-try-files (default '())) (ssl-certificate nginx-server-configuration-ssl-certificate - (default "/etc/nginx/cert.pem")) + (default #f)) (ssl-certificate-key nginx-server-configuration-ssl-certificate-key - (default "/etc/nginx/key.pem")) + (default #f)) (server-tokens? nginx-server-configuration-server-tokens? (default #f))) diff --git a/gnu/tests/web.scm b/gnu/tests/web.scm index 3fa272c67..de7ab3cd6 100644 --- a/gnu/tests/web.scm +++ b/gnu/tests/web.scm @@ -45,10 +45,7 @@ ;; Server blocks. (list (nginx-server-configuration (root "/srv") - (http-port 8042) - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f)))) + (http-port 8042)))) (define %nginx-os ;; Operating system under test. -- 2.14.2 From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 09 04:37:26 2017 Received: (at 29467) by debbugs.gnu.org; 9 Dec 2017 09:37:26 +0000 Received: from localhost ([127.0.0.1]:53137 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNbZV-0000th-RT for submit@debbugs.gnu.org; Sat, 09 Dec 2017 04:37:26 -0500 Received: from li622-129.members.linode.com ([212.71.249.129]:56078 helo=mira.cbaines.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eNbZT-0000tZ-TP for 29467@debbugs.gnu.org; Sat, 09 Dec 2017 04:37:24 -0500 Received: by mira.cbaines.net (Postfix, from userid 113) id 2FDF213E8A5; Sat, 9 Dec 2017 09:37:23 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net [86.27.34.15]) by mira.cbaines.net (Postfix) with ESMTPSA id 951E313E8A3; Sat, 9 Dec 2017 09:37:20 +0000 (GMT) Received: from giedi (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id d5c8fe7e; Sat, 9 Dec 2017 09:37:20 +0000 (UTC) References: <20171127082620.19237-1-mail@cbaines.net> <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> <87vahlctq3.fsf@gnu.org> <87374l36b3.fsf@gnu.org> User-agent: mu4e 0.9.18; emacs 25.3.1 From: Christopher Baines To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#29467] [PATCH] web: Don't error about missing ssl related files. In-reply-to: <87374l36b3.fsf@gnu.org> Date: Sat, 09 Dec 2017 09:37:19 +0000 Message-ID: <874lp0dyy8.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 29467 Cc: julien lepiller , 29467@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hi, > > julien lepiller skribis: > >> Le 2017-12-05 12:14, ludo@gnu.org a =C3=A9crit: > > [...] > >>> We cannot check for file existence at configuration time for the >>> reasons >>> above. >>> >>> We cannot check for file existence at build time because certificates >>> may be part of the machine=E2=80=99s state; they are typically managed = in a >>> stateful fashion, outside of GuixSD. >>> >>> So the only option we=E2=80=99re left with is checking at run time, whe= n we >>> start the service. But that=E2=80=99s something nginx already does, I = think? >>> >>> As for the default, I would be in favor of setting it to #f, because I >>> can=E2=80=99t really think of a default that would work for everyone. >>> >>> WDYT? >> >> Having it default to #f is fine with me. Nginx does this check at >> runtime >> and will refuse to start if these files are missing. Keeping https-port >> to 443 and certificates to #f means it will not be able to establish a >> connection to the client, but the http website will be available. So >> just >> setting the key and the certificate to #f by default should be OK. > > OK, sounds good. > > Chris, can you make this change? Yep, I've send some updated patches. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAlorrs9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE 9XdDKQ/8Drn6X87Yqi9/9gn01YsREnGj4JwCEs8SCNKRDNdcn886r1Dvs+8OQwxd wTldIN29UvBjg3EIVeJ7MKP9fRjKcz3ghJxPQ9h94C7Wx71OPZRhlB0Gr1fpXLRG A3a6jSEKVghgrcAWGnZFuBisFGvUs26Fm3acOA6tkqM4QYrpesXeNP51ZQILjtUs zjYp28Cij5NBJ4j4JsJvrONI/+tDd8gmxTWY/yHIz7h5+Zc7n+7uyUMr2y0MbTAP NtOyTXiWweiwLh7mwfcE0GXo2rUImgAKKMuri8QjwujAAw8EkJcW+oy8WYW25U/R /rlJnCwYeXXeIXvoJbZ4kYafqtBSgK+5D1zVWHo18GH9eRrShx/txA3JzWsEdkgm +bjrYn4FcNXyb0YdGCXsFqRfCzy9aT1VQK/dV18NOd4whvyIzqCzevhz9xDI3tEc g8HLxU5jyS78WomcnC75Wnkd0hDt85d8Hvs6pcVtOTAwSUD3SPiy1MR4/c8nwi0+ HsTdzeTH9fXSPv1Vt0toH7kKpSEOSXxtqAonAx6gapiPvrnkWCkXepqSBXD/ozEO GF/0pc03Y0kTrK9vjw/VMmdLKeyHWqaY8rM0gpUv6Ssu4JLZVAzgm9WVaOq2DDlv x4bS95aoBA0PQxY4Aj41twM/dWClE2sGiJt4RLgntOQ70HZbrUE= =1q+k -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 11 08:26:27 2017 Received: (at 29467) by debbugs.gnu.org; 11 Dec 2017 13:26:27 +0000 Received: from localhost ([127.0.0.1]:56172 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eOO6D-00057I-PF for submit@debbugs.gnu.org; Mon, 11 Dec 2017 08:26:25 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:39282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eOO6B-000579-Vw for 29467@debbugs.gnu.org; Mon, 11 Dec 2017 08:26:24 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 9A708103EC; Mon, 11 Dec 2017 14:26:26 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rcuIIfHbz5D; Mon, 11 Dec 2017 14:26:26 +0100 (CET) Received: from ribbon (unknown [193.50.110.104]) by hera.aquilenet.fr (Postfix) with ESMTPSA id CC020103EA; Mon, 11 Dec 2017 14:26:25 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Christopher Baines Subject: Re: [bug#29467] [PATCH 1/2] web: Don't error about missing ssl related files. References: <87374l36b3.fsf@gnu.org> <20171209093114.5112-1-mail@cbaines.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 21 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 11 Dec 2017 14:26:22 +0100 In-Reply-To: <20171209093114.5112-1-mail@cbaines.net> (Christopher Baines's message of "Sat, 9 Dec 2017 09:31:13 +0000") Message-ID: <87lgi91jlt.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29467 Cc: 29467@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Christopher Baines skribis: > Erroring here prevents doing things like building a system using nginx on a > different machine from where it's intended to be deployed, or creating > containers and VMs that use the ssl-certificate parts of the nginx > configuration, without also getting these files to exist. > > * gnu/services/web.scm (emit-nginx-server-config): Don't error on missing ssl > related files. LGTM! From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 11 08:26:37 2017 Received: (at 29467) by debbugs.gnu.org; 11 Dec 2017 13:26:37 +0000 Received: from localhost ([127.0.0.1]:56175 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eOO6O-00057m-Qt for submit@debbugs.gnu.org; Mon, 11 Dec 2017 08:26:37 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:39285) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eOO6N-00057d-Az for 29467@debbugs.gnu.org; Mon, 11 Dec 2017 08:26:35 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 29861103EC; Mon, 11 Dec 2017 14:26:38 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sV30TBTlXQ4M; Mon, 11 Dec 2017 14:26:37 +0100 (CET) Received: from ribbon (unknown [193.50.110.104]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 85A0C103EA; Mon, 11 Dec 2017 14:26:37 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Christopher Baines Subject: Re: [bug#29467] [PATCH 2/2] services: web: Remove default certificate and key files for nginx. References: <87374l36b3.fsf@gnu.org> <20171209093114.5112-1-mail@cbaines.net> <20171209093114.5112-2-mail@cbaines.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 21 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 11 Dec 2017 14:26:33 +0100 In-Reply-To: <20171209093114.5112-2-mail@cbaines.net> (Christopher Baines's message of "Sat, 9 Dec 2017 09:31:14 +0000") Message-ID: <87h8sx1jli.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29467 Cc: 29467@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Christopher Baines skribis: > If nginx is configured with a ssl-certificate file, and ssl-certificate-key, > it will fail to start unless these exist. To avoid this happening, change the > default to #f. > > * gnu/services/web.scm () > [ssl-certificate,ssl-certificate-key]: Set the defaults to #f. > * gnu/tests/web.scm (%nginx-servers): Remove redundant > nginx-server-configuration fields. > * doc/guix.texi (Web Services): Update examples and documentation. LGTM, thanks! Ludo'. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 11 15:41:09 2017 Received: (at 29467-done) by debbugs.gnu.org; 11 Dec 2017 20:41:09 +0000 Received: from localhost ([127.0.0.1]:57275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eOUsv-0005Xa-8q for submit@debbugs.gnu.org; Mon, 11 Dec 2017 15:41:09 -0500 Received: from li622-129.members.linode.com ([212.71.249.129]:59396 helo=mira.cbaines.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eOUss-0005XR-Kp for 29467-done@debbugs.gnu.org; Mon, 11 Dec 2017 15:41:08 -0500 Received: by mira.cbaines.net (Postfix, from userid 113) id 1444513E8C1; Mon, 11 Dec 2017 20:41:05 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net [86.27.34.15]) by mira.cbaines.net (Postfix) with ESMTPSA id BE74813E8C0; Mon, 11 Dec 2017 20:41:04 +0000 (GMT) Received: from giedi (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 57e1e91c; Mon, 11 Dec 2017 20:41:04 +0000 (UTC) References: <87374l36b3.fsf@gnu.org> <20171209093114.5112-1-mail@cbaines.net> <20171209093114.5112-2-mail@cbaines.net> <87h8sx1jli.fsf@gnu.org> User-agent: mu4e 0.9.18; emacs 25.3.1 From: Christopher Baines To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#29467] [PATCH 2/2] services: web: Remove default certificate and key files for nginx. In-reply-to: <87h8sx1jli.fsf@gnu.org> Date: Mon, 11 Dec 2017 20:41:04 +0000 Message-ID: <87y3m9576n.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 29467-done Cc: 29467-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Christopher Baines skribis: > >> If nginx is configured with a ssl-certificate file, and ssl-certificate-= key, >> it will fail to start unless these exist. To avoid this happening, chang= e the >> default to #f. >> >> * gnu/services/web.scm () >> [ssl-certificate,ssl-certificate-key]: Set the defaults to #f. >> * gnu/tests/web.scm (%nginx-servers): Remove redundant >> nginx-server-configuration fields. >> * doc/guix.texi (Web Services): Update examples and documentation. > > LGTM, thanks! Great, I've now pushed these two patches. Thanks for reviewing :) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAlou7WBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE 9Xf8yhAAoc/HwrjKsIs+D9i8eRY/t/2goBWwI0UpMsHBhfTuzi7qgibu8jcyQ6xl 8HcBtJzfcP0nE7Ltn05cbm0iK9M9gA6MFcS5fcOPG8TT7hm1Y5DuOReVvQH58Xxg SHhMN8ObjJeHjc7Is58BTpcpDkV79CcP8OBEZ7a/4b2KqgIrhsejVuFuXbpI+vdo L6HD+r+ZdXGnvoG+hKZLKeEtEI2xRNrbXwk72j3o7nKjtBLbTkPbqhjXToOXVr+s ijkB5j1hbVFSxCVw20Gmvh4jzxUlG8aja1iA99NQRj+/kqMlnD22Y2lfJPJHbbVn 5YNJuqXqPUFfC5um1+My//R177Gn4EHDtutGYa6gb+JGOUqk+se1WUFU8QoElQL1 BPUtZmTR3R3yV/nXeUKVk12zCCbeRGYY1ofnoc6PZk5VzaY6sFdM2JcO3FKdYGZm rED3MDygjM/dIkPIxnE2ts0PoQOjl72/TJWPCUokPUbjI3ZCwKdamEWza68WxVNU fUF91MbGntm/0h/vy3O9+daV9WwHMR3DOwBC5Ul5grIahBdTe0HAG3nfU/j7KcHJ YIZNKzzJ3vbItwEJLgVoeXmQkkPU+qBXwVr3o48zbpV/CNbn/6XT0RP8O7Xm9fOv iOH2CaipAHN+K1CuwX154fRyaR26CQ0jl7ycuHt0cLG8KBlv6R4= =di8A -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Sep 05 11:00:46 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 09 Jan 2018 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator