From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:33:37 2018 Received: (at submit) by debbugs.gnu.org; 14 Feb 2018 21:33:37 +0000 Received: from localhost ([127.0.0.1]:43330 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4gL-0001ql-1E for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:33:37 -0500 Received: from eggs.gnu.org ([208.118.235.92]:36702) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4gI-0001qY-Qc for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:33:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1em4gC-0006Lv-UX for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:33:29 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:44545) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1em4gC-0006Lm-RL for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:33:28 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55899) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1em4gB-0003xF-Qv for guix-patches@gnu.org; Wed, 14 Feb 2018 16:33:28 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1em4g8-0006JF-Nz for guix-patches@gnu.org; Wed, 14 Feb 2018 16:33:27 -0500 Received: from mail.lassieur.org ([83.152.10.219]:52646) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1em4g8-0006Dv-8L for guix-patches@gnu.org; Wed, 14 Feb 2018 16:33:24 -0500 Received: from rodion (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 3e5c0d5e (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO); Wed, 14 Feb 2018 21:33:20 +0000 (UTC) User-agent: mu4e 1.0; emacs 25.3.1 From: =?utf-8?Q?Cl=C3=A9ment?= Lassieur To: guix-patches@gnu.org Subject: Certbot service patches Date: Wed, 14 Feb 2018 22:33:19 +0100 Message-ID: <87y3jv6yu8.fsf@lassieur.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit Cc: Andy Wingo , Christopher Allan Webber X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) Hi, Here are a few patches that aim to improve the Certbot service. One problem I have is that reconfiguring takes a bit too much time if there are many certificates. I wonder if there is a way to avoid running 'certbot-activation' when the configuration didn't change. Also, I had not reproducible networking issues while updating the certificates, but they may be related to my deploy hooks and have nothing to do with the service. Comments welcome :-) Clément From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:18 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:19 +0000 Received: from localhost ([127.0.0.1]:43346 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4hy-0001uR-KS for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:18 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4hw-0001uH-SS for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:17 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id d95c559a (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:14 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 01/11] services: certbot: Listen on IPv6. Date: Wed, 14 Feb 2018 22:34:54 +0100 Message-Id: <20180214213504.29984-1-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * gnu/services/certbot.scm (certbot-nginx-server-configurations): Listen on IPv6 too. --- gnu/services/certbot.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 8aac2638b..91249ed3e 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016 ng0 ;;; Copyright © 2016 Sou Bunnbu -;;; Copyright © 2017 Clément Lassieur +;;; Copyright © 2017, 2018 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -98,7 +98,7 @@ (map (lambda (host) (nginx-server-configuration - (listen '("80")) + (listen '("80" "[::]:80")) (ssl-certificate #f) (ssl-certificate-key #f) (server-name (list host)) -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:20 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:20 +0000 Received: from localhost ([127.0.0.1]:43349 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4hz-0001uk-U6 for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:20 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4hy-0001uH-8V for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:18 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 14f2d621 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:15 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 02/11] services: certbot: Run certbot twice a day at a random minute. Date: Wed, 14 Feb 2018 22:34:55 +0100 Message-Id: <20180214213504.29984-2-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (certbot-renewal-jobs): Change job's time specification. --- doc/guix.texi | 8 +++++++- gnu/services/certbot.scm | 8 ++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b3bf52735..42705ff8d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -30,7 +30,7 @@ Copyright @copyright{} 2016, 2017 ng0@* Copyright @copyright{} 2016, 2017 Jan Nieuwenhuizen@* Copyright @copyright{} 2016 Julien Lepiller@* Copyright @copyright{} 2016 Alex ter Weele@* -Copyright @copyright{} 2017 Clément Lassieur@* +Copyright @copyright{} 2017, 2018 Clément Lassieur@* Copyright @copyright{} 2017 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* Copyright @copyright{} 2017 Carlo Zancanaro@* @@ -15670,6 +15670,12 @@ generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the certificate to disk, and the automated periodic renewals. +Certbot is run twice a day, at a random minute within the hour. It +won't do anything until your certificates are due for renewal or +revoked, but running it regularly would give your service a chance of +staying online in case a Let's Encrypt-initiated revocation happened for +some reason. + @defvr {Scheme Variable} certbot-service-type A service type for the @code{certbot} Let's Encrypt client. @end defvr diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 91249ed3e..1728d126f 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -65,10 +65,10 @@ (() '()) (_ (list - ;; Attempt to renew the certificates twice a week. - #~(job (lambda (now) - (next-day-from (next-hour-from now '(3)) - '(2 5))) + ;; Attempt to renew the certificates twice per day, at a random + ;; minute within the hour. See + ;; https://certbot.eff.org/all-instructions/. + #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) (string-append #$package "/bin/certbot renew" (string-concatenate (map (lambda (host) -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:22 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:22 +0000 Received: from localhost ([127.0.0.1]:43354 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i2-0001v5-6P for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:22 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4hz-0001uH-9n for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:19 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id abada09c (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:15 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 03/11] services: certbot: Fix indentation. Date: Wed, 14 Feb 2018 22:34:56 +0100 Message-Id: <20180214213504.29984-3-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * gnu/services/certbot.scm (certbot-activation): Fix indentation. --- gnu/services/certbot.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 1728d126f..8ca64d998 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -80,8 +80,8 @@ (($ package webroot hosts default-location) (with-imported-modules '((guix build utils)) #~(begin - (use-modules (guix build utils)) - (mkdir-p #$webroot) + (use-modules (guix build utils)) + (mkdir-p #$webroot) (for-each (lambda (host) (unless (file-exists? (in-vicinity "/etc/letsencrypt/live" host)) -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:22 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:22 +0000 Received: from localhost ([127.0.0.1]:43356 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i2-0001vG-Dv for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:22 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i0-0001uH-BL for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:21 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 2225b51f (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:15 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 04/11] services: certbot: Rename 'host' to 'domain'. Date: Wed, 14 Feb 2018 22:34:57 +0100 Message-Id: <20180214213504.29984-4-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Rename 'host' to 'domain'. * gnu/services/certbot.scm (, certbot-renewal-jobs, certbot-activation, certbot-nginx-server-configurations, certbot-service-type): Rename 'host' to 'domain'. --- doc/guix.texi | 14 +++++++------- gnu/services/certbot.scm | 42 ++++++++++++++++++++++-------------------- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 42705ff8d..42f2593d3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15692,8 +15692,8 @@ The certbot package to use. The directory from which to serve the Let's Encrypt challenge/response files. -@item @code{hosts} (default: @code{()}) -A list of hosts for which to generate certificates and request +@item @code{domains} (default: @code{()}) +A list of domains for which to generate certificates and request signatures. @item @code{default-location} (default: @i{see below}) @@ -15701,7 +15701,7 @@ The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able to run a web server. It does so by extending the @code{nginx} web service with an @code{nginx-server-configuration} listening on the -@var{hosts} on port 80, and which has a +@var{domains} on port 80, and which has a @code{nginx-location-configuration} for the @code{/.well-known/} URI path subspace used by Let's Encrypt. @xref{Web Services}, for more on these nginx configuration data types. @@ -15711,7 +15711,7 @@ Requests to other URL paths will be matched by the @code{nginx-server-configuration}s. By default, the @code{default-location} will issue a redirect from -@code{http://@var{host}/...} to @code{https://@var{host}/...}, leaving +@code{http://@var{domain}/...} to @code{https://@var{domain}/...}, leaving you to define what to serve on your site via @code{https}. Pass @code{#f} to not issue a default location. @@ -15719,9 +15719,9 @@ Pass @code{#f} to not issue a default location. @end deftp The public key and its signatures will be written to -@code{/etc/letsencrypt/live/@var{host}/fullchain.pem}, for each -@var{host} in the configuration. The private key is written to -@code{/etc/letsencrypt/live/@var{host}/privkey.pem}. +@code{/etc/letsencrypt/live/@var{domain}/fullchain.pem}, for each +@var{domain} in the configuration. The private key is written to +@code{/etc/letsencrypt/live/@var{domain}/privkey.pem}. @node DNS Services diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 8ca64d998..0b425bab9 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -48,7 +48,7 @@ (default certbot)) (webroot certbot-configuration-webroot (default "/var/www")) - (hosts certbot-configuration-hosts + (domains certbot-configuration-domains (default '())) (default-location certbot-configuration-default-location (default @@ -59,9 +59,9 @@ (define certbot-renewal-jobs (match-lambda - (($ package webroot hosts default-location) - (match hosts - ;; Avoid pinging certbot if we have no hosts. + (($ package webroot domains default-location) + (match domains + ;; Avoid pinging certbot if we have no domains. (() '()) (_ (list @@ -71,37 +71,38 @@ #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) (string-append #$package "/bin/certbot renew" (string-concatenate - (map (lambda (host) - (string-append " -d " host)) - '#$hosts)))))))))) + (map (lambda (domain) + (string-append " -d " domain)) + '#$domains)))))))))) (define certbot-activation (match-lambda - (($ package webroot hosts default-location) + (($ package webroot domains default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p #$webroot) (for-each - (lambda (host) - (unless (file-exists? (in-vicinity "/etc/letsencrypt/live" host)) + (lambda (domain) + (unless (file-exists? + (in-vicinity "/etc/letsencrypt/live" domain)) (unless (zero? (system* (string-append #$certbot "/bin/certbot") "certonly" "--webroot" "-w" #$webroot - "-d" host)) - (error "failed to acquire cert for host" host)))) - '#$hosts)))))) + "-d" domain)) + (error "failed to acquire cert for domain" domain)))) + '#$domains)))))) (define certbot-nginx-server-configurations (match-lambda - (($ package webroot hosts default-location) + (($ package webroot domains default-location) (map - (lambda (host) + (lambda (domain) (nginx-server-configuration (listen '("80" "[::]:80")) (ssl-certificate #f) (ssl-certificate-key #f) - (server-name (list host)) + (server-name (list domain)) (locations (filter identity (list @@ -109,7 +110,7 @@ (uri "/.well-known") (body (list (list "root " webroot ";")))) default-location))))) - hosts)))) + domains)))) (define certbot-service-type (service-type (name 'certbot) @@ -121,11 +122,12 @@ (service-extension mcron-service-type certbot-renewal-jobs))) (compose concatenate) - (extend (lambda (config additional-hosts) + (extend (lambda (config additional-domains) (certbot-configuration (inherit config) - (hosts (append (certbot-configuration-hosts config) - additional-hosts))))) + (domains (append + (certbot-configuration-domains config) + additional-domains))))) (default-value (certbot-configuration)) (description "Automatically renew @url{https://letsencrypt.org, Let's -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:26 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:26 +0000 Received: from localhost ([127.0.0.1]:43363 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i5-0001vq-P5 for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:25 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i1-0001ur-Fx for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:21 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id bafb8bbc (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:15 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 05/11] services: certbot: Refactor certbot command. Date: Wed, 14 Feb 2018 22:34:58 +0100 Message-Id: <20180214213504.29984-5-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * gnu/services/certbot.scm (certbot-renewal-jobs, certbot-activation): Refactor common code into certbot-command. --- gnu/services/certbot.scm | 53 ++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0b425bab9..661e17498 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -57,41 +57,40 @@ (body (list "return 301 https://$host$request_uri;")))))) -(define certbot-renewal-jobs +(define certbot-command (match-lambda (($ package webroot domains default-location) - (match domains - ;; Avoid pinging certbot if we have no domains. - (() '()) - (_ - (list - ;; Attempt to renew the certificates twice per day, at a random - ;; minute within the hour. See - ;; https://certbot.eff.org/all-instructions/. - #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) - (string-append #$package "/bin/certbot renew" - (string-concatenate - (map (lambda (domain) - (string-append " -d " domain)) - '#$domains)))))))))) + (let* ((certbot (file-append package "/bin/certbot")) + (commands + (map + (lambda (domain) + (list certbot "certonly" + "--webroot" "-w" webroot + "-d" domain)) + domains))) + (program-file + "certbot-command" + #~(let ((code 0)) + (for-each + (lambda (command) + (set! code (or (apply system* command) code))) + '#$commands) code)))))) -(define certbot-activation - (match-lambda +(define (certbot-renewal-jobs config) + (list + ;; Attempt to renew the certificates twice per day, at a random minute + ;; within the hour. See https://certbot.eff.org/all-instructions/. + #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) + #$(certbot-command config)))) + +(define (certbot-activation config) + (match config (($ package webroot domains default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p #$webroot) - (for-each - (lambda (domain) - (unless (file-exists? - (in-vicinity "/etc/letsencrypt/live" domain)) - (unless (zero? (system* - (string-append #$certbot "/bin/certbot") - "certonly" "--webroot" "-w" #$webroot - "-d" domain)) - (error "failed to acquire cert for domain" domain)))) - '#$domains)))))) + (zero? (system* #$(certbot-command config)))))))) (define certbot-nginx-server-configurations (match-lambda -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:26 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:26 +0000 Received: from localhost ([127.0.0.1]:43365 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i6-0001vs-15 for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:26 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i1-0001uH-M9 for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:22 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 02d5cfeb (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:15 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 06/11] services: certbot: Get certbot to run non-interactively. Date: Wed, 14 Feb 2018 22:34:59 +0100 Message-Id: <20180214213504.29984-6-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Add email field. * gnu/services/certbot.scm (, certbot-command, certbot-activation, certbot-nginx-server-configurations): Add email field. (certbot-command): Add '-n' and '--agree-tos' options. (certbot-service-type): Remove default-value. --- doc/guix.texi | 4 ++++ gnu/services/certbot.scm | 14 +++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 42f2593d3..e951b3274 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15696,6 +15696,10 @@ files. A list of domains for which to generate certificates and request signatures. +@item @code{email} +Mandatory email used for registration, recovery contact, and important +account notifications. + @item @code{default-location} (default: @i{see below}) The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 661e17498..379c21143 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -50,6 +50,7 @@ (default "/var/www")) (domains certbot-configuration-domains (default '())) + (email certbot-configuration-email) (default-location certbot-configuration-default-location (default (nginx-location-configuration @@ -59,12 +60,14 @@ (define certbot-command (match-lambda - (($ package webroot domains default-location) + (($ package webroot domains email + default-location) (let* ((certbot (file-append package "/bin/certbot")) (commands (map (lambda (domain) - (list certbot "certonly" + (list certbot "certonly" "-n" "--agree-tos" + "-m" email "--webroot" "-w" webroot "-d" domain)) domains))) @@ -85,7 +88,8 @@ (define (certbot-activation config) (match config - (($ package webroot domains default-location) + (($ package webroot domains email + default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) @@ -94,7 +98,8 @@ (define certbot-nginx-server-configurations (match-lambda - (($ package webroot domains default-location) + (($ package webroot domains email + default-location) (map (lambda (domain) (nginx-server-configuration @@ -127,7 +132,6 @@ (domains (append (certbot-configuration-domains config) additional-domains))))) - (default-value (certbot-configuration)) (description "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:26 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:26 +0000 Received: from localhost ([127.0.0.1]:43367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i6-0001vz-BH for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:26 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i2-0001ur-C5 for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:23 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 8e7286be (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:15 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 07/11] services: certbot: Associate one certificate with several domains. Date: Wed, 14 Feb 2018 22:35:00 +0100 Message-Id: <20180214213504.29984-7-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Document , the change from domains to certificates and the fact that their path is now derived from their name. * gnu/services/certbot.scm (): Add and export it. (certbot-configuration, certbot-command, certbot-activation, certbot-nginx-server-configurations, certbot-service-type): Replace 'domains' with 'certificates'. (certbot-nginx-server-configurations): Use only one nginx-server-configuration and use all certificate domains as the server-name. --- doc/guix.texi | 48 ++++++++++++++++++++++++++------ gnu/services/certbot.scm | 71 ++++++++++++++++++++++++++++-------------------- 2 files changed, 81 insertions(+), 38 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index e951b3274..78508eeac 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15677,7 +15677,22 @@ staying online in case a Let's Encrypt-initiated revocation happened for some reason. @defvr {Scheme Variable} certbot-service-type -A service type for the @code{certbot} Let's Encrypt client. +A service type for the @code{certbot} Let's Encrypt client. Its value +must be a @code{certbot-configuration} record as in this example: + +@example +(service certbot-service-type + (certbot-configuration + (email "foo@@example.net") + (certificates + (list + (certificate-configuration + (domains '("example.net" "www.example.net"))) + (certificate-configuration + (domains '("bar.example.net"))))))) +@end example + +See below for details about @code{certbot-configuration}. @end defvr @deftp {Data Type} certbot-configuration @@ -15692,9 +15707,10 @@ The certbot package to use. The directory from which to serve the Let's Encrypt challenge/response files. -@item @code{domains} (default: @code{()}) -A list of domains for which to generate certificates and request -signatures. +@item @code{certificates} (default: @code{()}) +A list of @code{certificates-configuration}s for which to generate +certificates and request signatures. Each certificate has a @code{name} +and several @code{domains}. @item @code{email} Mandatory email used for registration, recovery contact, and important @@ -15722,12 +15738,28 @@ Pass @code{#f} to not issue a default location. @end table @end deftp -The public key and its signatures will be written to -@code{/etc/letsencrypt/live/@var{domain}/fullchain.pem}, for each -@var{domain} in the configuration. The private key is written to -@code{/etc/letsencrypt/live/@var{domain}/privkey.pem}. +@deftp {Data Type} certificate-configuration +Data type representing the configuration of a certificate. +This type has the following parameters: + +@table @asis +@item @code{name} (default: @i{see below}) +This name is used by Certbot for housekeeping and in file paths; it +doesn't affect the content of the certificate itself. To see +certificate names, run @code{certbot certificates}. + +Its default is the first provided domain. +@item @code{domains} (default: @code{()}) +The first domain provided will be the subject CN of the certificate, and +all domains will be Subject Alternative Names on the certificate. + +@end table +@end deftp +For each @code{certificate-configuration}, the certificate is saved to +@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. @node DNS Services @subsubsection DNS Services @cindex DNS (domain name system) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 379c21143..a70a36591 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -32,7 +32,8 @@ #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration - certbot-configuration?)) + certbot-configuration? + certificate-configuration)) ;;; Commentary: ;;; @@ -41,6 +42,14 @@ ;;; Code: +(define-record-type* + certificate-configuration make-certificate-configuration + certificate-configuration? + (name certificate-configuration-name + (default #f)) + (domains certificate-configuration-domains + (default '()))) + (define-record-type* certbot-configuration make-certbot-configuration certbot-configuration? @@ -48,7 +57,7 @@ (default certbot)) (webroot certbot-configuration-webroot (default "/var/www")) - (domains certbot-configuration-domains + (certificates certbot-configuration-certificates (default '())) (email certbot-configuration-email) (default-location certbot-configuration-default-location @@ -60,17 +69,19 @@ (define certbot-command (match-lambda - (($ package webroot domains email + (($ package webroot certificates email default-location) (let* ((certbot (file-append package "/bin/certbot")) (commands (map - (lambda (domain) - (list certbot "certonly" "-n" "--agree-tos" - "-m" email - "--webroot" "-w" webroot - "-d" domain)) - domains))) + (match-lambda + (($ name domains) + (list certbot "certonly" "-n" "--agree-tos" + "-m" email + "--webroot" "-w" webroot + "--cert-name" (or name (car domains)) + "-d" (string-join domains ",")))) + certificates))) (program-file "certbot-command" #~(let ((code 0)) @@ -88,7 +99,7 @@ (define (certbot-activation config) (match config - (($ package webroot domains email + (($ package webroot certificates email default-location) (with-imported-modules '((guix build utils)) #~(begin @@ -98,23 +109,22 @@ (define certbot-nginx-server-configurations (match-lambda - (($ package webroot domains email + (($ package webroot certificates email default-location) - (map - (lambda (domain) - (nginx-server-configuration - (listen '("80" "[::]:80")) - (ssl-certificate #f) - (ssl-certificate-key #f) - (server-name (list domain)) - (locations - (filter identity - (list - (nginx-location-configuration - (uri "/.well-known") - (body (list (list "root " webroot ";")))) - default-location))))) - domains)))) + (list + (nginx-server-configuration + (listen '("80" "[::]:80")) + (ssl-certificate #f) + (ssl-certificate-key #f) + (server-name + (apply append (map certificate-configuration-domains certificates))) + (locations + (filter identity + (list + (nginx-location-configuration + (uri "/.well-known") + (body (list (list "root " webroot ";")))) + default-location)))))))) (define certbot-service-type (service-type (name 'certbot) @@ -126,12 +136,13 @@ (service-extension mcron-service-type certbot-renewal-jobs))) (compose concatenate) - (extend (lambda (config additional-domains) + (extend (lambda (config additional-certificates) (certbot-configuration (inherit config) - (domains (append - (certbot-configuration-domains config) - additional-domains))))) + (certificates + (append + (certbot-configuration-certificates config) + additional-certificates))))) (description "Automatically renew @url{https://letsencrypt.org, Let's Encrypt} HTTPS certificates by adjusting the nginx web server configuration -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:27 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:27 +0000 Received: from localhost ([127.0.0.1]:43369 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i6-0001w7-PT for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:26 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i2-0001uH-Lh for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:23 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id fa5066da (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:16 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 08/11] doc: Fix typo in certbot-configuration description. Date: Wed, 14 Feb 2018 22:35:01 +0100 Message-Id: <20180214213504.29984-8-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Fix typo. --- doc/guix.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 78508eeac..4f6f9e9c7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15696,7 +15696,7 @@ See below for details about @code{certbot-configuration}. @end defvr @deftp {Data Type} certbot-configuration -Data type representing the configuration of the @code{certbot} serice. +Data type representing the configuration of the @code{certbot} service. This type has the following parameters: @table @asis -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:30 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:30 +0000 Received: from localhost ([127.0.0.1]:43371 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4iA-0001wM-2D for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:30 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i3-0001uH-NP for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:24 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 13a0e6ef (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:16 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 10/11] services: certbot: Add verbosity. Date: Wed, 14 Feb 2018 22:35:03 +0100 Message-Id: <20180214213504.29984-10-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) The certificate name wasn't displayed if it wasn't being renewed. * gnu/services/certbot.scm (certbot-command): Print certificate name before running the associated command. --- gnu/services/certbot.scm | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 51f5d719a..f90e4f04b 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -78,22 +78,28 @@ (commands (map (match-lambda - (($ name domains) - (append - (list certbot "certonly" "-n" "--agree-tos" - "-m" email - "--webroot" "-w" webroot - "--cert-name" (or name (car domains)) - "-d" (string-join domains ",")) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))) + (($ custom-name domains) + (let ((name (or custom-name (car domains)))) + (append + (list name certbot "certonly" "-n" "--agree-tos" + "-m" email + "--webroot" "-w" webroot + "--cert-name" name + "-d" (string-join domains ",")) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()))))) certificates))) (program-file "certbot-command" - #~(let ((code 0)) - (for-each - (lambda (command) - (set! code (or (apply system* command) code))) - '#$commands) code)))))) + #~(begin + (use-modules (ice-9 match)) + (let ((code 0)) + (for-each + (match-lambda + ((name . command) + (begin + (format #t "Acquiring or renewing certificate: ~a~%" name) + (set! code (or (apply system* command) code))))) + '#$commands) code))))))) (define (certbot-renewal-jobs config) (list -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:30 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:30 +0000 Received: from localhost ([127.0.0.1]:43373 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4iA-0001wO-Cr for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:30 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i3-0001ur-LS for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:24 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id f2b35488 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:16 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 09/11] services: certbot: Allow to set RSA key size. Date: Wed, 14 Feb 2018 22:35:02 +0100 Message-Id: <20180214213504.29984-9-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (, certbot-command, certbot-activation, certbot-nginx-server-configurations): Add it. --- doc/guix.texi | 3 +++ gnu/services/certbot.scm | 21 +++++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 4f6f9e9c7..8500cda6d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15716,6 +15716,9 @@ and several @code{domains}. Mandatory email used for registration, recovery contact, and important account notifications. +@item @code{rsa-key-size} (default: @code{2048}) +Size of the RSA key. + @item @code{default-location} (default: @i{see below}) The default @code{nginx-location-configuration}. Because @code{certbot} needs to be able to serve challenges and responses, it needs to be able diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index a70a36591..51f5d719a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -60,6 +60,8 @@ (certificates certbot-configuration-certificates (default '())) (email certbot-configuration-email) + (rsa-key-size certbot-configuration-rsa-key-size + (default #f)) (default-location certbot-configuration-default-location (default (nginx-location-configuration @@ -70,17 +72,20 @@ (define certbot-command (match-lambda (($ package webroot certificates email - default-location) + rsa-key-size default-location) (let* ((certbot (file-append package "/bin/certbot")) + (rsa-key-size (and rsa-key-size (number->string rsa-key-size))) (commands (map (match-lambda (($ name domains) - (list certbot "certonly" "-n" "--agree-tos" - "-m" email - "--webroot" "-w" webroot - "--cert-name" (or name (car domains)) - "-d" (string-join domains ",")))) + (append + (list certbot "certonly" "-n" "--agree-tos" + "-m" email + "--webroot" "-w" webroot + "--cert-name" (or name (car domains)) + "-d" (string-join domains ",")) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())))) certificates))) (program-file "certbot-command" @@ -100,7 +105,7 @@ (define (certbot-activation config) (match config (($ package webroot certificates email - default-location) + rsa-key-size default-location) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) @@ -110,7 +115,7 @@ (define certbot-nginx-server-configurations (match-lambda (($ package webroot certificates email - default-location) + rsa-key-size default-location) (list (nginx-server-configuration (listen '("80" "[::]:80")) -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 14 16:35:31 2018 Received: (at 30459) by debbugs.gnu.org; 14 Feb 2018 21:35:31 +0000 Received: from localhost ([127.0.0.1]:43375 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4iA-0001wZ-MY for submit@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:30 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58282) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1em4i4-0001uH-LW for 30459@debbugs.gnu.org; Wed, 14 Feb 2018 16:35:25 -0500 Received: from localhost.localdomain (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id d6c1d743 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <30459@debbugs.gnu.org>; Wed, 14 Feb 2018 21:35:16 +0000 (UTC) From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= To: 30459@debbugs.gnu.org Subject: [PATCH 11/11] services: certbot: Allow to set a deploy hook. Date: Wed, 14 Feb 2018 22:35:04 +0100 Message-Id: <20180214213504.29984-11-clement@lassieur.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180214213504.29984-1-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Certificate Services): Document it. * gnu/services/certbot.scm (, certbot-command): Add it. --- doc/guix.texi | 22 ++++++++++++++++++++-- gnu/services/certbot.scm | 10 +++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 8500cda6d..2092e1d3b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -15668,7 +15668,9 @@ signature. The certbot service automates this process: the initial key generation, the initial certification request to the Let's Encrypt service, the web server challenge/response integration, writing the -certificate to disk, and the automated periodic renewals. +certificate to disk, the automated periodic renewals, and the deployment +tasks associated with the renewal (e.g. reloading services, copying keys +with different permissions). Certbot is run twice a day, at a random minute within the hour. It won't do anything until your certificates are due for renewal or @@ -15681,13 +15683,20 @@ A service type for the @code{certbot} Let's Encrypt client. Its value must be a @code{certbot-configuration} record as in this example: @example +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net"))) + (domains '("example.net" "www.example.net")) + (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("bar.example.net"))))))) @end example @@ -15757,6 +15766,15 @@ Its default is the first provided domain. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. +@item @code{deploy-hook} (default: @code{#f}) +Command to be run in a shell once for each successfully issued +certificate. For this command, the shell variable +@code{$RENEWED_LINEAGE} will point to the config live subdirectory (for +example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will +contain a space-delimited list of renewed certificate domains (for +example, @samp{"example.com www.example.com"}. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index f90e4f04b..066b8241b 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -48,7 +48,9 @@ (name certificate-configuration-name (default #f)) (domains certificate-configuration-domains - (default '()))) + (default '())) + (deploy-hook certificate-configuration-deploy-hook + (default #f))) (define-record-type* certbot-configuration make-certbot-configuration @@ -78,7 +80,8 @@ (commands (map (match-lambda - (($ custom-name domains) + (($ custom-name domains + deploy-hook) (let ((name (or custom-name (car domains)))) (append (list name certbot "certonly" "-n" "--agree-tos" @@ -86,7 +89,8 @@ "--webroot" "-w" webroot "--cert-name" name "-d" (string-join domains ",")) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()))))) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))) certificates))) (program-file "certbot-command" -- 2.16.1 From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 17 10:13:31 2018 Received: (at 30459) by debbugs.gnu.org; 17 Feb 2018 15:13:31 +0000 Received: from localhost ([127.0.0.1]:48434 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1en4B7-0006De-9v for submit@debbugs.gnu.org; Sat, 17 Feb 2018 10:13:30 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:50729) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1en4B6-0006DX-Fc for 30459@debbugs.gnu.org; Sat, 17 Feb 2018 10:13:28 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 3227C20CBE; Sat, 17 Feb 2018 10:13:28 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 17 Feb 2018 10:13:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=AyxnAdHLZ4jRajJn7YOZ3Wdvw+D10k7DhQSeBvmJ3AI=; b=jdVaCdy2 dv4yIB4C1ff/+KUDQ7ebl8xP+/gMT2rGW5TReQzxPY6ZV5nFJkmYI910/pCxGLYd G6irRUaKq/xvDrm4Dv08DiVyPi7i1ji3CDsMxeYX0w0h/AfGnNB+zXgZZdNWV0oI 36cDta8NBahA5ZTC+lsA3ztLkYXJCZRRG2LQSyWwQWDK0xObwsuhasjFccuBVxVj icgosSkF7elHIy8ySyzLdl5hElGICdm1OswtKIRai+2nXTyks95cgF0p2m0ftXKm qwdrdZ3JNcNOuprd9zNROPwUxupZ2y26TtqdfpELRreSJM/TgwZXGtMHneM+JQ8p IuLL87xcJJO9jQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=AyxnAdHLZ4jRajJn7YOZ3Wdvw+D10 k7DhQSeBvmJ3AI=; b=HEzvd4BDryJHnrVTlSJAeIf164IivjQYu+pj4CAlEcdaV lPbJ4aMqI3bl+r8nRRcQnJ5TMjiuyInt+93nbRyjM/tOew0gEY434jbcj1s44C5J m5MRY7P/AEDg96PPazOa0wdImzixZazfGE/egaCrLT7tODt2vm/gzdLzCT8eLjos 8la6NokaaRsweqg1vKbtTSCRIcaDfwu3ecFwf+l2PA+tbCJ6vD39DRn/WYBKwFXe daXdulx/Aw5/4AJ31Jkg24IiTbWs5EMz9iN2NV5dUBIHmfaf/WhMv1Ug0Dsl9Vqt a1FBpF+Rdgl727y0PdhD9flrm6MwfXfqPI5/Y+85w== X-ME-Sender: Received: from localhost (ip-86-49-250-168.net.upcbroadband.cz [86.49.250.168]) by mail.messagingengine.com (Postfix) with ESMTPA id A83AB24547; Sat, 17 Feb 2018 10:13:27 -0500 (EST) From: Marius Bakke To: =?utf-8?Q?Cl=C3=A9ment?= Lassieur , 30459@debbugs.gnu.org Subject: Re: [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively. In-Reply-To: <20180214213504.29984-6-clement@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> <20180214213504.29984-6-clement@lassieur.org> User-Agent: Notmuch/0.26 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Sat, 17 Feb 2018 16:13:26 +0100 Message-ID: <87606vvecp.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30459 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cl=C3=A9ment Lassieur writes: > * doc/guix.texi (Certificate Services): Add email field. > * gnu/services/certbot.scm (, certbot-command, > certbot-activation, certbot-nginx-server-configurations): Add email field. > (certbot-command): Add '-n' and '--agree-tos' options. > (certbot-service-type): Remove default-value. Since this effectively hides the ToS from the user, I think we should update documentation to link to it. Something along the lines of "By using this service, you agree to the Terms and Conditions laid out in URL...". I'm not a user of certbot currently and thus haven't tested it, but the other patches LGTM to me. Thanks a lot for working on this! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlqIRpYACgkQoqBt8qM6 VPqRmQf+JraCwu3kcRgKqbCW0YrFLeT+9/2Pyoo8dw3mXapq0W9mfsqllrIDrGlD W9YmSAufoei9MjTy9CSipHXYSrcGKNvBqfJy5FMNDtVNbzNvl+mgskL0dUwv29PX zeNvbGpJpBUXbfr2FyYnlCeJ6xXlZ2E2zoIuXJYXPFMkWeFtLbP0UiJ71NuGs60J PjzAgN2WZwtEJy5v9811OyjNh9AQIdyPgf04CvssfnZ5SAVk0S0MhZyUab91ImzZ kZrhy1hYgt9NeFR6dpdXHzJHioIHcSn+AzQl5TAGHyCt6RWxATMrgoL+wr7kK4rf HFjj+ODQsKIzFec1IMDKgMaiC2MVtg== =JqOu -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 19 17:46:13 2018 Received: (at 30459) by debbugs.gnu.org; 19 Feb 2018 22:46:13 +0000 Received: from localhost ([127.0.0.1]:51789 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1enuCK-0006kv-V7 for submit@debbugs.gnu.org; Mon, 19 Feb 2018 17:46:13 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58768) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1enuCI-0006kf-SM for 30459@debbugs.gnu.org; Mon, 19 Feb 2018 17:46:11 -0500 Received: from rodion (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id 6bc7fc5b (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO); Mon, 19 Feb 2018 22:46:08 +0000 (UTC) References: <20180214213504.29984-1-clement@lassieur.org> <20180214213504.29984-6-clement@lassieur.org> <87606vvecp.fsf@fastmail.com> User-agent: mu4e 1.0; emacs 25.3.1 From: =?utf-8?Q?Cl=C3=A9ment?= Lassieur To: Marius Bakke Subject: Re: [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively. In-reply-to: <87606vvecp.fsf@fastmail.com> Date: Mon, 19 Feb 2018 23:46:07 +0100 Message-ID: <874lmc4mz4.fsf@lassieur.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 Cc: 30459@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Marius Bakke writes: > Clément Lassieur writes: > >> * doc/guix.texi (Certificate Services): Add email field. >> * gnu/services/certbot.scm (, certbot-command, >> certbot-activation, certbot-nginx-server-configurations): Add email field. >> (certbot-command): Add '-n' and '--agree-tos' options. >> (certbot-service-type): Remove default-value. > > Since this effectively hides the ToS from the user, I think we should > update documentation to link to it. Something along the lines of > "By using this service, you agree to the Terms and Conditions laid out > in URL...". > > I'm not a user of certbot currently and thus haven't tested it, but the > other patches LGTM to me. Thanks a lot for working on this! Thank you very much for the review, Marius, I'll update the documentation as you said. I won't push right now because I'm unconvinced by certbot-activation: - it runs at every reconfigure, whereas I want it to run only when the configuration changes - it runs at system startup (with no internet access, I think) which I obviously don't want - it requires internet access Assuming there is no way to get it to run only on reconfigure when the configuration has changed, I could make a command that the user would use manually (wich profile-service-type). They would use this command if they add new certificates and if they don't want to wait for the cron task to happen. WDYT? From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 22 08:57:12 2018 Received: (at 30459) by debbugs.gnu.org; 22 Feb 2018 13:57:12 +0000 Received: from localhost ([127.0.0.1]:55413 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eorN2-00073j-Bf for submit@debbugs.gnu.org; Thu, 22 Feb 2018 08:57:12 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48559) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eorN0-00073c-U5 for 30459@debbugs.gnu.org; Thu, 22 Feb 2018 08:57:11 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 163CF20D82; Thu, 22 Feb 2018 08:57:10 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Thu, 22 Feb 2018 08:57:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=UcQKmDdP/te4dQ7XMsQGksu+x3wUVj8wCkJxD84ask8=; b=HykcQGKp McxAf7Fxxm6Rjxb5Sx5qnsjf//lDMb1dnw/kpSgdL3VZ3qMRHMhXnLLxBEDiRXDt Gvd7+Wuzy2XZ+i8vdzISM0zuRVP4MzMu5guG80+lbCuq6j608amDnQXnc+tVR6qH sPqwjjCyjDBezEVZMuHIqC5F9rnhMPq2e6epNF0KXXScUc5cNdhYH4KQVylR/yBd DG0Cz8I/f3pOABgkBDcjcn/YzhKC/Xzw//avCp0a7w7CKk5qwN/ks9OLp7rnTK0M GShz9kkhbwjGcupu/KsC0toVICEhyixwcioD/k9v+5y+ngAyVvDmejeZlheXo7tK nROs3UydoLCxWQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=UcQKmDdP/te4dQ7XMsQGksu+x3wUV j8wCkJxD84ask8=; b=eOUnWupc/oXgJnA7hZVPml2YjYUVR+ZhIlxxrfUKksAIQ UgoMMHTAih0/qphUkU1ULX5tAtd6dGb/uCjY0463c34++2LigKXkW5gv5wdSVzcS yeJtW4EbCOCXT99tAFJKxpgItYe5aM1QiQusCrWVoz4+7timfvRYGV5HUQ9dCGes soz/vr98WlQDj4ty6m5Vbt2h6tOJohMmS1jNnEZQeTJG7bJILFcrxTLhhwEtccWC F+uB7qXRgY8ArF5BzGqmgDjlCbbmM4s+ukihcIsxjqvThWVCIbYiyXp8r94gWzCA sImnrZvFH57odXSvG6sgzalKDPMGxg+gbK78ZTC1A== X-ME-Sender: Received: from localhost (cm-84.211.227.176.getinternet.no [84.211.227.176]) by mail.messagingengine.com (Postfix) with ESMTPA id 867C87E3C5; Thu, 22 Feb 2018 08:57:09 -0500 (EST) From: Marius Bakke To: =?utf-8?Q?Cl=C3=A9ment?= Lassieur Subject: Re: [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively. In-Reply-To: <874lmc4mz4.fsf@lassieur.org> References: <20180214213504.29984-1-clement@lassieur.org> <20180214213504.29984-6-clement@lassieur.org> <87606vvecp.fsf@fastmail.com> <874lmc4mz4.fsf@lassieur.org> User-Agent: Notmuch/0.26 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Thu, 22 Feb 2018 14:57:07 +0100 Message-ID: <874lm9b00c.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30459 Cc: 30459@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cl=C3=A9ment Lassieur writes: > Marius Bakke writes: > >> Cl=C3=A9ment Lassieur writes: >> >>> * doc/guix.texi (Certificate Services): Add email field. >>> * gnu/services/certbot.scm (, certbot-command, >>> certbot-activation, certbot-nginx-server-configurations): Add email fie= ld. >>> (certbot-command): Add '-n' and '--agree-tos' options. >>> (certbot-service-type): Remove default-value. >> >> Since this effectively hides the ToS from the user, I think we should >> update documentation to link to it. Something along the lines of >> "By using this service, you agree to the Terms and Conditions laid out >> in URL...". >> >> I'm not a user of certbot currently and thus haven't tested it, but the >> other patches LGTM to me. Thanks a lot for working on this! > > Thank you very much for the review, Marius, I'll update the > documentation as you said. > > I won't push right now because I'm unconvinced by certbot-activation: > - it runs at every reconfigure, whereas I want it to run only when the > configuration changes > - it runs at system startup (with no internet access, I think) which I > obviously don't want > - it requires internet access I haven't studied the code, but perhaps certbot-activation could be made a "proper" Shepherd service (e.g. simple-service)? That way it can have a dependency on networking, at least. It also would not run on every reconfigure. > Assuming there is no way to get it to run only on reconfigure when the > configuration has changed, I could make a command that the user would > use manually (wich profile-service-type). They would use this command > if they add new certificates and if they don't want to wait for the cron > task to happen. WDYT? This sounds great, but don't know if it should block this series. Perhaps you can push it to a 'wip-certbot' branch on Savannah for easier access and testing? Also, hopefully some of our newfound Shepherd experts can chime in on this thread :) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlqOzDMACgkQoqBt8qM6 VPqL3QgAqHKRp8YQpo8ec/UF7fwTgfQxAleVDJRDZ83hGXM1sUJNA3TgvbA5E+kq MwXtprovF+RBXtwsJdUSM5LoSHTmaiAjG9LhtYRg0DmOtlzMzm+w3DJL2O8ppi1a k23m7K6yTGoTbsWcEKyh3Xyn2z7PdMFRdHtnFRC7vrX43H18r3uogBmScvcDfL/s 6q63HGvOTaln7VsrTEDB6BOtFXIt0pOiyHMGdFrG0XTXgN/T6RqEwoglmEk1WGCI YAvLbwdkm2DNn0mZbguLBi9NH40Nn2UcmJr8Bcy3T64Y/MVyAciOPLdYPX6/3rSQ fy1hvQwy4c3/qEgqcXQRRI741xzLcQ== =2+aZ -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 22 15:49:54 2018 Received: (at 30459) by debbugs.gnu.org; 22 Feb 2018 20:49:54 +0000 Received: from localhost ([127.0.0.1]:56892 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoxoQ-0000Pv-HK for submit@debbugs.gnu.org; Thu, 22 Feb 2018 15:49:54 -0500 Received: from mail.lassieur.org ([83.152.10.219]:58822) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoxoO-0000Pl-T1 for 30459@debbugs.gnu.org; Thu, 22 Feb 2018 15:49:53 -0500 Received: from rodion (88.191.118.83 [88.191.118.83]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id bdf31da0 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO); Thu, 22 Feb 2018 20:49:48 +0000 (UTC) References: <20180214213504.29984-1-clement@lassieur.org> <20180214213504.29984-6-clement@lassieur.org> <87606vvecp.fsf@fastmail.com> <874lmc4mz4.fsf@lassieur.org> <874lm9b00c.fsf@fastmail.com> User-agent: mu4e 1.0; emacs 25.3.1 From: =?utf-8?Q?Cl=C3=A9ment?= Lassieur To: Marius Bakke Subject: Re: [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively. In-reply-to: <874lm9b00c.fsf@fastmail.com> Date: Thu, 22 Feb 2018 21:49:46 +0100 Message-ID: <87inao4umt.fsf@lassieur.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459 Cc: 30459@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Marius Bakke writes: >> I won't push right now because I'm unconvinced by certbot-activation: >> - it runs at every reconfigure, whereas I want it to run only when the >> configuration changes >> - it runs at system startup (with no internet access, I think) which I >> obviously don't want >> - it requires internet access > > I haven't studied the code, but perhaps certbot-activation could be made > a "proper" Shepherd service (e.g. simple-service)? That way it can have > a dependency on networking, at least. It also would not run on every > reconfigure. Good idea! >> Assuming there is no way to get it to run only on reconfigure when the >> configuration has changed, I could make a command that the user would >> use manually (wich profile-service-type). They would use this command >> if they add new certificates and if they don't want to wait for the cron >> task to happen. WDYT? > > This sounds great, but don't know if it should block this series. > Perhaps you can push it to a 'wip-certbot' branch on Savannah for easier > access and testing? > > Also, hopefully some of our newfound Shepherd experts can chime in on > this thread :) I pushed the series as is in the master branch, because it changes the API and it's better that the potential users use the new API as soon as possible. (And it works anyway.) I'll add a patch implementing the certbot-activation as a Shepherd service. Thank you for the review! Clément From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 03 16:53:02 2018 Received: (at 30459-done) by debbugs.gnu.org; 3 Mar 2018 21:53:02 +0000 Received: from localhost ([127.0.0.1]:43216 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1esF5S-0006WO-0K for submit@debbugs.gnu.org; Sat, 03 Mar 2018 16:53:02 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:54866) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1esF5Q-0006Vz-ML for 30459-done@debbugs.gnu.org; Sat, 03 Mar 2018 16:53:01 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 171F411D90; Sat, 3 Mar 2018 22:53:00 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwF1JXk89I7m; Sat, 3 Mar 2018 22:52:58 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 60D17111A6; Sat, 3 Mar 2018 22:52:58 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: =?utf-8?Q?Cl=C3=A9ment?= Lassieur Subject: Re: [bug#30459] [PATCH 06/11] services: certbot: Get certbot to run non-interactively. References: <20180214213504.29984-1-clement@lassieur.org> <20180214213504.29984-6-clement@lassieur.org> <87606vvecp.fsf@fastmail.com> <874lmc4mz4.fsf@lassieur.org> <874lm9b00c.fsf@fastmail.com> <87inao4umt.fsf@lassieur.org> Date: Sat, 03 Mar 2018 22:52:57 +0100 In-Reply-To: <87inao4umt.fsf@lassieur.org> (=?utf-8?Q?=22Cl=C3=A9ment?= Lassieur"'s message of "Thu, 22 Feb 2018 21:49:46 +0100") Message-ID: <87fu5g6d3a.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30459-done Cc: Marius Bakke , 30459-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Cl=C3=A9ment Lassieur skribis: > I pushed the series as is in the master branch, because it changes the > API and it's better that the potential users use the new API as soon as > possible. (And it works anyway.) I'll add a patch implementing the > certbot-activation as a Shepherd service. Awesome. Remember to close the bug by emailing NNN-done@debbugs.gnu.org as I=E2=80= =99m doing here. :-) Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 03 17:09:17 2018 Received: (at 30459-done) by debbugs.gnu.org; 3 Mar 2018 22:09:17 +0000 Received: from localhost ([127.0.0.1]:43248 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1esFLA-0006vq-Rj for submit@debbugs.gnu.org; Sat, 03 Mar 2018 17:09:17 -0500 Received: from mail.lassieur.org ([83.152.10.219]:54498) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1esFL9-0006vi-EW for 30459-done@debbugs.gnu.org; Sat, 03 Mar 2018 17:09:15 -0500 Received: from rodion (192.168.0.254 [192.168.0.254]) by mail.lassieur.org (OpenSMTPD) with ESMTPSA id d981c919 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO); Sat, 3 Mar 2018 22:09:10 +0000 (UTC) References: <20180214213504.29984-1-clement@lassieur.org> <20180214213504.29984-6-clement@lassieur.org> <87606vvecp.fsf@fastmail.com> <874lmc4mz4.fsf@lassieur.org> <874lm9b00c.fsf@fastmail.com> <87inao4umt.fsf@lassieur.org> <87fu5g6d3a.fsf@gnu.org> User-agent: mu4e 1.0; emacs 25.3.1 From: =?utf-8?Q?Cl=C3=A9ment?= Lassieur To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#30459: [PATCH 06/11] services: certbot: Get certbot to run non-interactively. Message-ID: <87r2p0g6dw.fsf@lassieur.org> In-reply-to: <87fu5g6d3a.fsf@gnu.org> Date: Sat, 03 Mar 2018 23:09:10 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30459-done Cc: 30459-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Ludovic Courtès writes: > Clément Lassieur skribis: > >> I pushed the series as is in the master branch, because it changes the >> API and it's better that the potential users use the new API as soon as >> possible. (And it works anyway.) I'll add a patch implementing the >> certbot-activation as a Shepherd service. > > Awesome. > > Remember to close the bug by emailing NNN-done@debbugs.gnu.org as I’m > doing here. :-) I didn't close it on purpose because I planned to add a new patch this week in this thread (to fix the activation). But I'll send it in a new thread. You're right: it's probably easier to keep track of things this way. Clément From unknown Sat Jun 21 10:38:45 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 01 Apr 2018 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator