GNU bug report logs - #29467
[PATCH] web: Don't error about missing ssl related files.

Previous Next

Full log

View this message in rfc822 format

From: julien lepiller <julien <at> lepiller.eu>
To: 29467 <at> debbugs.gnu.org
Subject: [bug#29467] [PATCH] web: Don't error about missing ssl related files.
Date: Tue, 05 Dec 2017 12:23:39 +0100

Le 2017-12-05 12:14, ludo <at> gnu.org a écrit :
> Hi,
> 
> julien lepiller <julien <at> lepiller.eu> skribis:
> 
>> Le 2017-11-27 09:26, Christopher Baines a écrit :
>>> Erroring here prevents doing things like building a system using
>>> nginx on a
>>> different machine from where it's intended to be deployed, or 
>>> creating
>>> containers and VMs that use the ssl-certificate parts of the nginx
>>> configuration, without also getting these files to exist.
>>> 
>>> * gnu/services/web.scm (emit-nginx-server-config): Don't error on
>>> missing ssl
>>>   related files.
>>> ---
>>>  gnu/services/web.scm | 10 ----------
>>>  1 file changed, 10 deletions(-)
>>> 
>>> diff --git a/gnu/services/web.scm b/gnu/services/web.scm
>>> index 9d713003c..1af32278c 100644
>>> --- a/gnu/services/web.scm
>>> +++ b/gnu/services/web.scm
>>> @@ -191,16 +191,6 @@ of index files."
>>>              (syntax-parameterize ((<> (identifier-syntax x*)))
>>>                (list tail ...))
>>>              '())))
>>> -    (for-each
>>> -     (match-lambda
>>> -      ((record-key . file)
>>> -       (if (and file (not (file-exists? file)))
> 
> There’s another problem: ‘file-exists?’ checks the current machine,
> under the current root file system.  That check doesn’t work if you do
> “guix system init config.scm /some/other/root”, or if you create a
> container, or with the envisioned “guix system reconfigure --remote”.
> 
>> Hi, when configuring nginx for the first time, users will probably
>> forget to
>> configure ssl properly. The default is to enable ssl and find
>> certificates in
>> /etc/nginx. When these files don't exist, nginx will fail to start and
>> at least
>> one user complained it was hard to debug. This code was introduced to
>> prevent
>> such a mistake.
> 
> Yes, I agree that it’s nice to have early error reports.
> 
>> Maybe we should set the default to #f (but then users would have to
>> configure
>> more fields to enable https). Maybe we should add a configuration
>> option like
>> warn-only? (default to #f) to only warn about missing files. Or maybe
>> there's
>> a way to show nginx that another service is providing that file?
> 
> Good questions.
> 
> We cannot check for file existence at configuration time for the 
> reasons
> above.
> 
> We cannot check for file existence at build time because certificates
> may be part of the machine’s state; they are typically managed in a
> stateful fashion, outside of GuixSD.
> 
> So the only option we’re left with is checking at run time, when we
> start the service.  But that’s something nginx already does, I think?
> 
> As for the default, I would be in favor of setting it to #f, because I
> can’t really think of a default that would work for everyone.
> 
> WDYT?

Having it default to #f is fine with me. Nginx does this check at 
runtime
and will refuse to start if these files are missing. Keeping https-port
to 443 and certificates to #f means it will not be able to establish a
connection to the client, but the http website will be available. So 
just
setting the key and the certificate to #f by default should be OK.

> 
> Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.