From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 06 Mar 2021 08:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161501851821654 (code B ref -1); Sat, 06 Mar 2021 08:16:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Mar 2021 08:15:18 +0000 Received: from localhost ([127.0.0.1]:35958 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIS5m-0005dB-BE for submit@debbugs.gnu.org; Sat, 06 Mar 2021 03:15:18 -0500 Received: from lists.gnu.org ([209.51.188.17]:35888) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIS5k-0005d4-G2 for submit@debbugs.gnu.org; Sat, 06 Mar 2021 03:15:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49890) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIS5k-0005Ky-6N; Sat, 06 Mar 2021 03:15:16 -0500 Received: from relay13.mail.gandi.net ([217.70.178.233]:36953) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIS5h-0000rW-Kz; Sat, 06 Mar 2021 03:15:15 -0500 Received: from localhost (i15-les02-ntr-176-181-186-101.sfr.lns.abo.bbox.fr [176.181.186.101]) (Authenticated sender: brice@waegenei.re) by relay13.mail.gandi.net (Postfix) with ESMTPSA id 06F1F8000B; Sat, 6 Mar 2021 08:15:07 +0000 (UTC) From: Brice Waegeneire Date: Sat, 06 Mar 2021 09:15:04 +0100 Message-ID: <87pn0cy9yv.fsf@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=217.70.178.233; envelope-from=brice@waegenei.re; helo=relay13.mail.gandi.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.6 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Hello Guix, After an suggestion from Tobias to give a try at forcing HTTPS for Guix's websites on berlin, I had a go at it but it was more complex that what I was expecting. Looking deeper at nginx and certbot services it appear both services don't play that well together, requering a inital dance when deploying a new HTTPS virtual server. As explained in #36389=C2= =B9 you need to: =C2=AB - run system configuration with just the certbot service - use certbot to generate your initial certificates - reconfigure with additional nginx server configuration, pointing to the SSL certificates created by certbot =C2=BB Indeed, with an operating-system continaing the following services it's impossible to sart Nginx and Certbot at once as one would expect: --8<---------------cut here---------------start------------->8--- (service nginx-service-type) (service php-fpm-service-type) (service certbot-service-type (certbot-configuration (certificates (list (certificate-configuration (domains '("test.sama.re")) (deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx= .pid" read))) (kill pid SIGHUP))))))))) (cat-avatar-generator-service #:configuration (nginx-server-configuration (listen '("443 ssl")) (server-name '("test.sama.re")) (ssl-certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/test.sama.re/privkey.pem"))) --8<---------------cut here---------------end--------------->8--- Here is the error from reconfiguring the system: --8<---------------cut here---------------start------------->8--- # guix system reconfigure /etc/config.sm [...] building /gnu/store/55cq2ja4i5489s55viv9fh50032d1ziy-switch-to-system.scm.d= rv... making '/gnu/store/p2rkcmrnpls5py7x2iappf2qcbxwlb95-system' the current sys= tem... setting up setuid programs in '/run/setuid-programs'... populating /etc from /gnu/store/k2kb8hsq3q0dhhad4a9pjh4kx32mn4g0-etc... /var/lib/certbot/renew-certificates may need to be run creating nginx log directory '/var/log/nginx' creating nginx run directory '/var/run/nginx' creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,= uwsgi,scgi}_temp' nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/test.sama.re/= fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:f= open:No such file or directory:fopen('/etc/letsencrypt/live/test.sama.re/fu= llchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx= .conf test failed `/gnu/store/jyxc290q7jyhhpalski0h13h8z9zvnka-openssh-authorized-keys/bricew= ge' -> `/etc/ssh/authorized_keys.d/bricewge' The following derivation will be built: /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv building /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm= .drv... guix system: bootloader successfully installed on '/dev/sda' The following derivation will be built: /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.sc= m.drv building /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-servi= ces.scm.drv... shepherd: Removing service 'dbus-system'... shepherd: Service dbus-system has been stopped. shepherd: Done. shepherd: Service host-name has been started. shepherd: Service user-homes has been started. shepherd: Service host-name has been started. shepherd: Service term-auto could not be started. shepherd: Service php-fpm has been started. guix system: warning: exception caught while executing 'start' on service '= nginx': Throw to key `%exception' with args `("#<&invoke-error program: \"/gnu/stor= e/hn1mvgafkpf5knrnzvwpgpdlzmq553al-nginx-1.19.6/sbin/nginx\" arguments: (\"= -c\" \"/gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf\" \"-p\" \"/v= ar/run/nginx\") exit-status: 1 term-signal: #f stop-signal: #f>")'. guix system: warning: some services could not be upgraded hint: To allow changes to all the system services to take effect, you will = need to reboot. --8<---------------cut here---------------end--------------->8--- What happen is Nginx won't start because the certficate related files present in it's configuration doesn't exist and we can't get a Let's Encrypt certificate from a HTTP-01 challenge without that web server running. NixOS broke that chicken and egg problem by generating a self-signed certificate first, after that starting nginx, then requesting a valid Lets' Encrypt certificate and finally reloading Nginx. That way we end up with a Nginx server using Let's Encrypt certificate with no more that a simple system reconfiguration. Note that, the initial self-signed certificate will need to be at the path were certbot will put it's own certificate. WDYT? =C2=B9 https://bugs.gnu.org/36389 Cheers, - Brice From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run References: <87pn0cy9yv.fsf@waegenei.re> In-Reply-To: <87pn0cy9yv.fsf@waegenei.re> Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 24 Jan 2024 12:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170610100814973 (code B ref 46961); Wed, 24 Jan 2024 12:57:01 +0000 Received: (at 46961) by debbugs.gnu.org; 24 Jan 2024 12:56:48 +0000 Received: from localhost ([127.0.0.1]:44715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoC-0003tR-Fk for submit@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:48 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:32908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoA-0003t2-8C for 46961@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=wa7U5VqDclMDNhy M1RfWefa8EZIi95FPYC+9E82MhLk=; h=date:subject:to:from; d=zancanaro.id.au; b=mwiG6/QNXxtUlt/0CvMNlMccjQEOAsGUoUw+Vu9mPZwxYxgB3 IJ+KKjwrYMVKpbod2Q9KK5yf06hpPjjEbDvqdoGRfCC+2nZszNSQnN2X/SCXp50Qsmb+IU DT4TiQuFXFBR8VqHxuDt+qZy6IlQykMExhtSWelgEUL6dDPdqF3c= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id eb113c6e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <46961@debbugs.gnu.org>; Wed, 24 Jan 2024 12:56:25 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 24 Jan 2024 23:18:36 +1100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) >From time to time people have issues with setting up a new system with certbot generating certificates for an nginx server. The issue is that nginx won't start without being able to load certificates, but certbot can't generate certificates (through the default HTTP challenge) without a running nginx server. Breaking this has generally required two reconfigures: one with nginx configured without loading certificates, and then a second reconfigure after running certbot to add the certificate configuration. This is a bit of a pain, so I've made Guix generate a self-signed certificate to allow nginx to start before certbot has run. Unfortunately, I couldn't put the certificates in the same location as certbot, because certbot is very particular about its directories not existing when it requests a certificate for the first time. Rather than try to convince it to do what I wanted, I opted to add another level of indirection and move certificates to /etc/certs/. This is backwards compatible, because the old /etc/letsenctypt/live/ is maintained by certbot. The only real difference is for the initial bootstrapping of a certificate. Carlo Zancanaro (2): services: certbot: Symlink certificates to /etc/certs services: certbot: Create self-signed certificates before certbot runs doc/guix.texi | 32 +++++++++------ gnu/services/certbot.scm | 86 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 102 insertions(+), 16 deletions(-) base-commit: ffc5fefce370f5fc01091869e13fdf525be1e0c0 -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 24 Jan 2024 12:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170610101415003 (code B ref 46961); Wed, 24 Jan 2024 12:57:02 +0000 Received: (at 46961) by debbugs.gnu.org; 24 Jan 2024 12:56:54 +0000 Received: from localhost ([127.0.0.1]:44719 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoH-0003tu-Sb for submit@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:54 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:32908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoC-0003t2-BY for 46961@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=LN9qXwAzcxEUkmh W0YClYaFXnmw8TyzmcbZ+a7BNNCg=; h=references:in-reply-to:date:subject: to:from; d=zancanaro.id.au; b=gy6tnwk1cslZO+6IYgDfhJQBajAog/zSrcHdMFw2 ozu24zYtvmM2ywvDwH0kpKXnm3iw9wFLrQ4VBNgRsg0fiL084vJ6AoWg0X257QxIRPBgGr fg+TdocjbXuKeIT7yGYkg8pesaiprqIZZcSZ4YfxvjpIUQ0J6wA5ak1l0Wo9A= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id f3f701d4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <46961@debbugs.gnu.org>; Wed, 24 Jan 2024 12:56:26 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 24 Jan 2024 23:18:37 +1100 Message-ID: <10c7ceff68855e611357aca7c1729e312a5410d9.1706098718.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout. --- doc/guix.texi | 26 +++++++++++++------------- gnu/services/certbot.scm | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 45 insertions(+), 15 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a6187690bb..2d43ab9a65 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28117,7 +28117,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28820,8 +28820,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28939,12 +28939,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32659,7 +32659,7 @@ Certificate Services Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for -example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +example, @samp{"/etc/certs/example.com"}) containing the new certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. @@ -32668,8 +32668,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37355,9 +37355,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38482,9 +38482,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..58e709f8a4 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2021 Raghav Gururajan +;;; Copyright © 2024 Carlo Zancanaro ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ package webroot certificates email @@ -118,7 +148,7 @@ (define certbot-command `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +160,7 @@ (define certbot-command '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 24 Jan 2024 12:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170610101515010 (code B ref 46961); Wed, 24 Jan 2024 12:57:02 +0000 Received: (at 46961) by debbugs.gnu.org; 24 Jan 2024 12:56:55 +0000 Received: from localhost ([127.0.0.1]:44721 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoI-0003tw-H6 for submit@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:55 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:32908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoE-0003t2-GK for 46961@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=nJ6MpeTgJ71O49c yD9p/bXXHCjm8KHW0Enj0/oi+IY4=; h=references:in-reply-to:date:subject: to:from; d=zancanaro.id.au; b=cpiyLfnhVdLL15PoCkq9qinUMjsScJsssPAr/pgK 9R29IBm+9KNk9d3bJ3G5lh7AhyKdZaGzdUfzQWvYaZ5Y0AQVcDr/+YLpKT1nSc3h8Ha3MK 8sfOZ4byBXY0yvMa1vUARQbZTiqoHc79YoBJgRw2nfISJDblnUI8qkXrO/5h8= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 4f05989a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <46961@debbugs.gnu.org>; Wed, 24 Jan 2024 12:56:26 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 24 Jan 2024 23:18:38 +1100 Message-ID: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. --- doc/guix.texi | 6 +++++ gnu/services/certbot.scm | 56 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 2d43ab9a65..15b256d0a3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32664,6 +32664,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 58e709f8a4..bb321a1b50 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -64,7 +64,9 @@ (define-record-type* (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* certbot-configuration make-certbot-configuration @@ -91,7 +93,10 @@ (define-record-type* (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +113,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -182,6 +188,44 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ name (primary-domain other-domains ...) challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(begin + (use-modules (ice-9 format)) + (when (not (file-exists? #$directory)) + ;; Due to the way certbot runs, we need to + ;; create the self-signed certificates in the + ;; archive folder and symlink them into the live + ;; folder. This mimics what certbot does well + ;; enough to make acquiring new certificates + ;; work. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list))))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -196,6 +240,12 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(map (generate-certificate-gexp certbot-cert-directory + (and rsa-key-size (number->string rsa-key-size))) + (filter certificate-configuration-start-self-signed? + certificates)) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 24 Jan 2024 13:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: Cc: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170610159816356 (code B ref 46961); Wed, 24 Jan 2024 13:07:02 +0000 Received: (at 46961) by debbugs.gnu.org; 24 Jan 2024 13:06:38 +0000 Received: from localhost ([127.0.0.1]:44742 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScxh-0004Fk-T1 for submit@debbugs.gnu.org; Wed, 24 Jan 2024 08:06:38 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:47468) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScxf-0004FT-A0 for 46961@debbugs.gnu.org; Wed, 24 Jan 2024 08:06:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=iuUennxQpZLJtIU siC8Qj638YntVNFA3E1OYDp9RANQ=; h=in-reply-to:date:subject:cc:from: references; d=zancanaro.id.au; b=bFZ+81DeN3t5oT6+xIp6k4MnCZZj9wgPwv4Os X0UymeskJ3OCnPCKC0eNFjCPpSTTvmbQIRB44FpCHOhbj78YD+VrzTzHrUHr76BOL2FEJ8 WZnrkylmRpulOiDJ6lnqKrRdgYI9QsjVxiRyPyj2Pu448awvj90NQJ2FSU9KvAao= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 680cb7d2 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <46961@debbugs.gnu.org>; Wed, 24 Jan 2024 13:06:15 +0000 (UTC) References: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> User-agent: mu4e 1.10.8; emacs 29.1 From: Carlo Zancanaro Date: Thu, 25 Jan 2024 00:01:32 +1100 In-reply-to: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> Message-ID: <871qa6q3si.fsf@zancanaro.id.au> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Wed, Jan 24 2024, Carlo Zancanaro wrote: > + ;; Due to the way certbot runs, we need to > + ;; create the self-signed certificates in the > + ;; archive folder and symlink them into the live > + ;; [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.2 MISSING_HEADERS Missing To: header -0.0 T_SCC_BODY_TEXT_LINE No description available. X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.2 (/) On Wed, Jan 24 2024, Carlo Zancanaro wrote: > + ;; Due to the way certbot runs, we need to > + ;; create the self-signed certificates in the > + ;; archive folder and symlink them into the live > + ;; folder. This mimics what certbot does well > + ;; enough to make acquiring new certificates > + ;; work. Gah, this comment is from a previous iteration. It turns out it didn't work as well as I thought it did. I'm happy to update this comment, but I won't do that until I've heard back about the more substantive aspects of the change. I'm also happy for whoever merges this to change this comment appropriately. From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 29 Jan 2024 19:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170655626010150 (code B ref 46961); Mon, 29 Jan 2024 19:25:02 +0000 Received: (at 46961) by debbugs.gnu.org; 29 Jan 2024 19:24:20 +0000 Received: from localhost ([127.0.0.1]:33498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUXEy-0002dd-0V for submit@debbugs.gnu.org; Mon, 29 Jan 2024 14:24:20 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:54961) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUXEw-0002dP-M1 for 46961@debbugs.gnu.org; Mon, 29 Jan 2024 14:24:19 -0500 Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.nyi.internal (Postfix) with ESMTP id 774335C0108; Mon, 29 Jan 2024 14:24:04 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Mon, 29 Jan 2024 14:24:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1706556244; x=1706642644; bh=gjtJ98BMrhppJwBQj+oihwjHDqSbPQbYd72HrWC+PnI=; b= NtpiGQtGWDYmCPx4regBfXK9UsoMBvEawkKtsm3JTcPj4EpZLixSW4LUyT24KWOb 5Qrs7bE4SXSO69zgcZnxlVKp0ZrOPCQAJARsOsgg4iigj/pJo/Y2LfttsCQYkLBm Lw1NG9+VJeCz0r73a8mE9fPrfR3rW+/fbqidJBef/fUf4jqn5rRo+VhmVjhNj3Wq 3mA0klL3stYungBWp+aHi2WG0syol/wowGEKi3+Dn/HTxBe5UEckFxXQUTMxEVu4 ZccTFS6JaY3NR664bZ2/E/xLJRf4jkj/C8PzVBkbruBq6GJV6ufaasTPV6LnXAq5 1GOTm59pxf6BhnianziaBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1706556244; x= 1706642644; bh=gjtJ98BMrhppJwBQj+oihwjHDqSbPQbYd72HrWC+PnI=; b=F euRiRqypwzH3gTfq8g/XXsOJEO2BYlhyu39pZNjBMwCF5GoGMGaO7NKZ+ab3hN0N Skuh0RxIIdxly7kbRFMQDKgeqn/xn8aXaX6H6w+HB6i3gmnttmptOP7UVWGRGDkx WwLzoBWcogfLG80+dJvlws6VEqOs9abysGcaMF8fuHLnhGFaMVgl86V2TfdTBlw+ HPP4/8Lh9BPBoZ5lPBVjCkBNietFUHsB430IlgxniM6u/1aRXm8XM1leEbDqSYD2 FMRoNNknmjyPvNdzRwnj3YMTNxuzB5PWRUZsIxZozVQF1qMpvWKCFH4iG1uRlLjT WEFrjxtvmGiEmOyX0H2tQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtgedguddufecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufgjfhffkfgfgggtgfesthhqredttderjeenucfhrhhomhepvehl rohmvghnthcunfgrshhsihgvuhhruceotghlvghmvghntheslhgrshhsihgvuhhrrdhorh hgqeenucggtffrrghtthgvrhhnpeeltedtffekiedtfedvhfekhfegteduledvtdefkeel gfejgeethedvveelfefgueenucffohhmrghinhepvgigrghmphhlvgdrtghomhdpphgvmh drnhgvfienucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 29 Jan 2024 14:24:02 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> (Carlo Zancanaro's message of "Wed, 24 Jan 2024 23:18:38 +1100") References: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> Date: Mon, 29 Jan 2024 20:23:58 +0100 Message-ID: <878r483pv5.fsf_-_@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Carlo, On Wed, Jan 24 2024, Carlo Zancanaro wrote: > * gnu/services/certbot.scm (): Add > start-self-signed? field. > (generate-certificate-gexp): New procedure. > (certbot-activation): Generate self-signed certificates when > start-self-signed? is #t. > * doc/guix.texi (Certificate services): Document start-self-signed?. > --- > doc/guix.texi | 6 +++++ > gnu/services/certbot.scm | 56 +++++++++++++++++++++++++++++++++++++--- > 2 files changed, 59 insertions(+), 3 deletions(-) This is great, thank you! I tested it, it worked. Could you please just make sure lines fit within 80 columns? And there is a warning during compilation, pasted below. Would it make sense now to run =E2=80=98update-certificates=E2=80=99 at end= of the activation stuff? And would it make sense to reload nginx after =E2=80=98update-certificates= =E2=80=99 is run? Cl=C3=A9ment > diff --git a/doc/guix.texi b/doc/guix.texi > index 2d43ab9a65..15b256d0a3 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -32664,6 +32664,12 @@ Certificate Services > contain a space-delimited list of renewed certificate domains (for > example, @samp{"example.com www.example.com"}. >=20=20 > +@item @code{start-self-signed?} (default: @code{#t}) > +Whether to generate an initial self-signed certificate during system > +activation. This option is particularly useful to allow @code{nginx} to > +start before @code{certbot} has run, because @code{certbot} relies on > +@code{nginx} running to perform HTTP challenges. > + > @end table > @end deftp >=20=20 > diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm > index 58e709f8a4..bb321a1b50 100644 > --- a/gnu/services/certbot.scm > +++ b/gnu/services/certbot.scm > @@ -64,7 +64,9 @@ (define-record-type* > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > - (default #f))) > + (default #f)) > + (start-self-signed? certificate-configuration-start-self-signed? > + (default #t))) >=20=20 > (define-record-type* > certbot-configuration make-certbot-configuration > @@ -91,7 +93,10 @@ (define-record-type* > (define (certbot-deploy-hook name deploy-hook-script) > "Returns a gexp which creates symlinks for privkey.pem and fullchain.p= em > from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRI= PT is > -not #f then it is run after the symlinks have been created." > +not #f then it is run after the symlinks have been created. This wrappi= ng is > +necessary for certificates with start-self-signed? set to #t, as it will > +overwrite the initial self-signed certificates upon the first successful > +deploy." > (program-file > (string-append name "-deploy-hook") > (with-imported-modules '((guix build utils)) > @@ -108,7 +113,8 @@ (define (certbot-deploy-hook name deploy-hook-script) > "/etc/letsencrypt/live/" name "/fullchain.pem") > #$(string-append "/etc/certs/" name "/fullchain.pem.ne= w")) >=20=20 > - ;; Rename over the top of the old ones, if there are any. > + ;; Rename over the top of the old ones, just in case they were = the > + ;; original self-signed certificates. > (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.= new") > #$(string-append "/etc/certs/" name "/privkey.pem"= )) > (rename-file #$(string-append "/etc/certs/" name "/fullchain.pe= m.new") > @@ -182,6 +188,44 @@ (define (certbot-renewal-jobs config) > #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) > #$(certbot-command config)))) >=20=20 > +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) > + (match-lambda > + (($ name (primary-domain other-domains .= ..) challenge > + csr authentication-hook > + cleanup-hook deploy-hook) > + (let (;; Arbitrary default subject, with just the > + ;; right domain filled in. These values don't > + ;; have any real significance. > + (subject (string-append "/C=3DUS/ST=3DOregon/L=3DPortland/O= =3DCompany Name/OU=3DOrg/CN=3D" > + primary-domain)) > + (alt-names (if (null? other-domains) > + #f > + (format #f "subjectAltName=3D~{DNS:~a~^,~}" ot= her-domains))) gnu/services/certbot.scm:203:26: warning: "subjectAltName=3D~{DNS:~a~^,~}":= unsupported format option ~{, use (ice-9 format) instead > + (directory (string-append "/etc/certs/" (or name primary-doma= in)))) > + #~(begin > + (use-modules (ice-9 format)) > + (when (not (file-exists? #$directory)) > + ;; Due to the way certbot runs, we need to > + ;; create the self-signed certificates in the > + ;; archive folder and symlink them into the live > + ;; folder. This mimics what certbot does well > + ;; enough to make acquiring new certificates > + ;; work. In another mail you say it doesn't work as well as you thought it did? What doesn't work? > + (mkdir-p #$directory) > + (chmod #$directory #o755) > + (invoke #$(file-append openssl "/bin/openssl") > + "req" "-x509" > + "-newkey" #$(string-append "rsa:" (or rsa-key-size = "4096")) > + "-keyout" #$(string-append directory "/privkey.pem") > + "-out" #$(string-append directory "/fullchain.pem") > + "-sha256" > + "-days" "1" ; Only one day, because we expect certb= ot to run > + "-nodes" > + "-subj" #$subject > + #$@(if alt-names > + (list "-addext" alt-names) > + (list))))))))) > + > (define (certbot-activation config) > (let* ((certbot-directory "/var/lib/certbot") > (certbot-cert-directory "/etc/letsencrypt/live") > @@ -196,6 +240,12 @@ (define (certbot-activation config) > (mkdir-p #$webroot) > (mkdir-p #$certbot-directory) > (mkdir-p #$certbot-cert-directory) > + > + #$@(map (generate-certificate-gexp certbot-cert-directory > + (and rsa-key-size (numbe= r->string rsa-key-size))) > + (filter certificate-configuration-start-self-signed? > + certificates)) > + > (copy-file #$(certbot-command config) #$script) > (display #$message))))))) From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 29 Jan 2024 19:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170655652810543 (code B ref 46961); Mon, 29 Jan 2024 19:29:01 +0000 Received: (at 46961) by debbugs.gnu.org; 29 Jan 2024 19:28:48 +0000 Received: from localhost ([127.0.0.1]:33511 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUXJH-0002jz-OJ for submit@debbugs.gnu.org; Mon, 29 Jan 2024 14:28:48 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:42573) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUXJG-0002jl-2P for 46961@debbugs.gnu.org; Mon, 29 Jan 2024 14:28:46 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 775D35C00FF; Mon, 29 Jan 2024 14:28:32 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 29 Jan 2024 14:28:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1706556512; x=1706642912; bh=dJU3oky2// /ZOkLi2yEusjCo80tXHlK7yskLbIT+srY=; b=NL579y+lVqVEswDDgBsGhTUjGU vi2abrxprknfLcZuAf6nIXML4nQz0y0bKT95OeobOE6LP7ABM117XbtTt1r2uDYG tbR1pq07bgEHnFsn3zFh4YpZy06IVnOY0H6Wc2lsqRjYB65NNVr5kM4ITrDMH4yr Pku2iGVU8DF4NED+s+YoVxacKpArfS1W0c9KJN+zC4f9Aqz6FSSKfPkVjHaT0aFn LYC7nBkAsWPTysamqigDBpQ4uXbuNOQgyaVtYsI4+6exbfI2ax645JVGgRgtmr2T Y/eLt7rhKnpexT0oO70KHo++9XhNKE9lQVvKTCbnmtTJ4XX8V5IcAYpuTV9A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1706556512; x=1706642912; bh=dJU3oky2///ZOkLi2yEusjCo80tX HlK7yskLbIT+srY=; b=Hnk50q3e/BloLoRklzH0+isSr/aJlMNufcyHGoZReAUs kFEbosQkv8mH1dtF1zfOtkbiq+nS+2TFQYxnpBocgGQYOUwRM4IGJ2lHbDhCKaLj J+YkcKpR7t4dH2ZS/kvwJKE9qFMUkZCaFzm2a6TnTITkEClXMoCjc853H0RBz/gv 2VJeC6rkqkw1F7btixgS3xJw0JQjdcOLxSokS4ofzQSm/qYYc3vrvsajnUUf0CSo dMO8ju9+a7BIahU3ITYsBmNgeANYU2wgPOkmd8UijWDDGnSqwZyxbGd0AAKkyBcZ tOtOvfX17TeO48mPT/hpssgDAG0bFtmKUyl15CKd5w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtgedguddugecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufgjfhffkfgfgggtsehttdertddtreejnecuhfhrohhmpeevlhor mhgvnhhtucfnrghsshhivghurhcuoegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh eqnecuggftrfgrthhtvghrnheptedulefgkeelteehjedvgeevueefieejgeevgfelvedu uddvgeelkeeludfgffefnecuffhomhgrihhnpehlrghsshhivghurhdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtlhgvmhgvnhht sehlrghsshhivghurhdrohhrgh X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 29 Jan 2024 14:28:31 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> (Carlo Zancanaro's message of "Wed, 24 Jan 2024 23:18:38 +1100") References: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> Date: Mon, 29 Jan 2024 20:28:29 +0100 Message-ID: <875xzc3pnm.fsf_-_@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Also, I forgot, I think it would be great to have somewhere in the doc an example of minimal config.scm that works. I know we can't do proper testing because we depend of certbot service but that would make it easier for a lot of people to test it. Maybe such example is already in the docs and I haven't seen it though. Here is the one I used: --8<---------------cut here---------------start------------->8--- (use-modules (gnu) (gnu tests)) (use-package-modules web) (use-service-modules certbot networking web) (operating-system (inherit %simple-os) (services (cons* (service dhcp-client-service-type) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (listen '("443 ssl")) (server-name '("test.lassieur.org")) (ssl-certificate "/etc/certs/test.lassieur.org/fullchain.pem") (ssl-certificate-key "/etc/certs/test.lassieur.org/privkey.pem")))))) (service certbot-service-type (certbot-configuration (certificates (list (certificate-configuration (domains '("test.lassieur.org"))))))) %base-services))) --8<---------------cut here---------------end--------------->8--- From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 29 Jan 2024 23:03:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Cc: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.17065693461318 (code B ref 46961); Mon, 29 Jan 2024 23:03:01 +0000 Received: (at 46961) by debbugs.gnu.org; 29 Jan 2024 23:02:26 +0000 Received: from localhost ([127.0.0.1]:33698 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUae2-0000LB-6U for submit@debbugs.gnu.org; Mon, 29 Jan 2024 18:02:26 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:60198) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUadz-0000Kx-Ev for 46961@debbugs.gnu.org; Mon, 29 Jan 2024 18:02:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=jTp24FLQaL6OXmO 40VNamOtS9kyp3WjLCIeDzsWZ8vc=; h=date:references:in-reply-to:subject: cc:to:from; d=zancanaro.id.au; b=GwnG3555Lp8K05WE+z3pJh3Z0aXEhC/Gw5y2r 7kw5OzYT2ijIFdsGp/2lnqQumbahmwEdj5ylOdjtj/qnQBi17jJelG7IsxhGpuXvbN8Uqf d9bi+CAu1OI7f6x9UPNWwevvlNMMyuLrw+NIT79BSIZFcqospwNvBxUP90YEUmbU= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id b4724408 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 29 Jan 2024 23:01:57 +0000 (UTC) From: Carlo Zancanaro In-Reply-To: <878r483pv5.fsf_-_@lassieur.org> ("=?UTF-8?Q?Cl=C3=A9ment?= Lassieur"'s message of "Mon, 29 Jan 2024 20:23:58 +0100") References: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> <878r483pv5.fsf_-_@lassieur.org> Date: Tue, 30 Jan 2024 10:02:06 +1100 Message-ID: <87il3bd9qp.fsf@zancanaro.id.au> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Cl=C3=A9ment, Thanks for taking the time to review my change. I've responded inline below. On Mon, Jan 29 2024, Cl=C3=A9ment Lassieur wrote: > This is great, thank you! I tested it, it worked. Could you please > just make sure lines fit within 80 columns? Yep, no worries. > Would it make sense now to run =E2=80=98update-certificates=E2=80=99 at e= nd of the > activation stuff? We can't run it during activation, because nginx won't have started yet. However, I am planning a follow-up to add a one-shot service to run certbot after nginx starts. I'll see if I can add it to this series, but if I run into any issues I'll leave it for later. > And would it make sense to reload nginx after =E2=80=98update-certificate= s=E2=80=99 is > run? This would be a sensible default. There is an example in the manual of configuring certbot to reload nginx, so this should be straightforward to add. > gnu/services/certbot.scm:203:26: warning: "subjectAltName=3D~{DNS:~a~^,~}= ": unsupported format option ~{, use (ice-9 format) instead Ha! I import (ice-9 format), but within the gexp (and then I don't use it, whoops!). Must be a leftover from a previous iteration. I'll fix this up. >> + ;; Due to the way certbot runs, we need to >> + ;; create the self-signed certificates in the >> + ;; archive folder and symlink them into the live >> + ;; folder. This mimics what certbot does well >> + ;; enough to make acquiring new certificates >> + ;; work. > > In another mail you say it doesn't work as well as you thought it did? > What doesn't work? This comment doesn't describe the code any more. In my first attempt I was trying to generate certificates in /etc/letsencrypt/live/ and get certbot to write over them when it ran. Unfortunately, it refused to do so. I then tried writing to /etc/letsencrypt/archive/ and symlinking into /etc/letsencrypt/live/ (which is what this comment describes), but that also failed. Certbot refuses to write over any existing files when fetching a certificate. It looks like other acme clients might be happier to overwrite existing files, but changing away from certbot seemed like more work than adding a deploy hook to do what we need. I'll follow up with a v2 of this patch when I get a chance. Carlo From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 29 Jan 2024 23:20:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.17065703683151 (code B ref 46961); Mon, 29 Jan 2024 23:20:01 +0000 Received: (at 46961) by debbugs.gnu.org; 29 Jan 2024 23:19:28 +0000 Received: from localhost ([127.0.0.1]:33740 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUauW-0000ol-3F for submit@debbugs.gnu.org; Mon, 29 Jan 2024 18:19:28 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:59991) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUauT-0000oW-3x for 46961@debbugs.gnu.org; Mon, 29 Jan 2024 18:19:26 -0500 Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.nyi.internal (Postfix) with ESMTP id 2FDA55C0152; Mon, 29 Jan 2024 18:19:11 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Mon, 29 Jan 2024 18:19:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1706570351; x=1706656751; bh=E8t58qC76z SehW1fu1F9ShraKP9B9DNbAR7muAp97Nw=; b=EmApwDHsGrUuXzSqFzKjUFbcf2 DjJN5LTUqAT8MUPoX0jVgwzylPQxdOiCfpNaKG+M+4dB25dulMPIoZnY/zhMXPpO Cnz4wrZ1IT/hHng24uAychhqh1I/tYEoFBaKIzlGjGHWpHop0depH8BGn8C4QcqR mjSUhV5PFn4b4rFdggcL7pOItyy//11Q7eK2gOcB1okXwm9JO/HqcNYj98p87rF/ F7s+LvqLmRmW+h7jAlITlWrbc0Lh78YbFEEyPa4WFx1Wf95EkvilWtHHALhsJPLK N8YJScBepoUhiMKDNSDWG5zx08oryHE+8Go06xvq/bK9XuCBoPWiDWZrRfeA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1706570351; x=1706656751; bh=E8t58qC76zSehW1fu1F9ShraKP9B 9DNbAR7muAp97Nw=; b=Zx1DFqfQLgvCTBOofCPbhvyQeexMYxoky0iBESY8wGYo 0PCCFqeOujtSFja/z5ov1Gzhl9tFHJqj9KN2Ujm1PKP4/91RfeCx9oBys3JFXbiI ColQxuAtH4pLeTrcJuk8wllSHmSNY9j5g6jiDUx0KKz1NRVEkCPTZImceeKLDwaf E/X++8t56piGMqpW7qbHyGsQkGIGsNwW60OappgHW8tN3f2pHd3Kp/04dsv+KwLT sYWp2gGOVRKA5Zc3uCZNcRlo1SSbilMAZ5epTKJLBSk6y9raaqbevC1Hy403ytem Ck3rGW454cbfw0iK4PrnRQs6W38agA4WqvBEW0MHGw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedthedgtdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkfgggtgesthdtredttderjeenucfhrhhomhepvehlrohm vghnthcunfgrshhsihgvuhhruceotghlvghmvghntheslhgrshhsihgvuhhrrdhorhhgqe enucggtffrrghtthgvrhhnpeevjeeljefhledthedukeejhfekuefglefgtddvudetveel jeekudevtdfhtdfgffenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 29 Jan 2024 18:19:09 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: <87il3bd9qp.fsf@zancanaro.id.au> (Carlo Zancanaro's message of "Tue, 30 Jan 2024 10:02:06 +1100") References: <788b23efd206b4ef627de06236f868f97e3cbe05.1706098718.git.carlo@zancanaro.id.au> <878r483pv5.fsf_-_@lassieur.org> <87il3bd9qp.fsf@zancanaro.id.au> Date: Tue, 30 Jan 2024 00:19:06 +0100 Message-ID: <87le873ez9.fsf@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Tue, Jan 30 2024, Carlo Zancanaro wrote: >>> + ;; Due to the way certbot runs, we need to >>> + ;; create the self-signed certificates in the >>> + ;; archive folder and symlink them into the live >>> + ;; folder. This mimics what certbot does well >>> + ;; enough to make acquiring new certificates >>> + ;; work. >> >> In another mail you say it doesn't work as well as you thought it did? >> What doesn't work? > > This comment doesn't describe the code any more. In my first attempt I > was trying to generate certificates in /etc/letsencrypt/live/ and get > certbot to write over them when it ran. Unfortunately, it refused to do > so. I then tried writing to /etc/letsencrypt/archive/ and symlinking > into /etc/letsencrypt/live/ (which is what this comment describes), but > that also failed. Certbot refuses to write over any existing files when > fetching a certificate. Oh I read the comment too quickly, I thought it was describing the /etc/certs moving. I suppose you will update it so to reflect the actual state? What you did (using /etc/certs, and symlinking stuff in /etc/letsencrypt) is a good idea I think, and it's excellent that it's backward compatible! > It looks like other acme clients might be happier to overwrite existing > files, but changing away from certbot seemed like more work than adding > a deploy hook to do what we need. Indeed! > I'll follow up with a v2 of this patch when I get a chance. Thanks! > Carlo From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 13:34:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662163515329 (code B ref 46961); Tue, 30 Jan 2024 13:34:01 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 13:33:55 +0000 Received: from localhost ([127.0.0.1]:34631 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFP-0003z6-2x for submit@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:55 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:48442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFM-0003yr-E5 for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=C2a8AO/R4Efixes gmf/Y5RvMtuL8yw89eOu//h+uCBM=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=iD+wFiTyECZGtkmTXN4hLZ/YMWYw31Nt5q3S9 exkKkyKU2zIzpnm7siDky2YXHuqv3QLtlT+sQx9noPcQbbo9gKMlstegsT1BdFa7nr6I29 4yno2eusV6FT+WnhwJF94K63MRq/seOl6HawXu7TyGF85UtLzAGCrA7JDeTkBPyA= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id ceec39b4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:26 +0000 (UTC) From: Carlo Zancanaro Date: Tue, 30 Jan 2024 13:26:36 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Guix, This patch series is a few changes to make certbot default to doing "the right thing" in the common case of wanting certificates for an nginx web server. The initial change (in v1 of these patches) was to solve the certbot bootstrapping problem. Nginx won't start without valid certificates, but certbot can't produce certificates without a functional nginx. This is solved by generating self-signed certificates to start with, and then replacing them once certbot has run. Doing this requires storing certificates in a different location (because certbot is very particular). I've chosen /etc/certs/. The other two changes (new to v2 of this series) make things a bit easier to use: a one-shot shepherd service to renew certificates when the machine starts up, and a default deploy-hook to reload the nginx configuration (which picks up the new certificates). I think these changes make certbot "do the right thing", at the expense of being slightly more magical. On IRC podiki suggested I should copy guix-devel and Brice (the original bug reporter), so I've done that, too. Carlo Zancanaro (4): services: certbot: Symlink certificates to /etc/certs. services: certbot: Create self-signed certificates before certbot runs. services: certbot: Add a default deploy hook to reload nginx. services: certbot: Add one-shot service to renew certificates. doc/guix.texi | 38 ++++++--- gnu/services/certbot.scm | 178 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 188 insertions(+), 28 deletions(-) base-commit: 144c95032e517bb8ce466b930fe91506bcc92b2b -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 13:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662164315387 (code B ref 46961); Tue, 30 Jan 2024 13:35:02 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 13:34:03 +0000 Received: from localhost ([127.0.0.1]:34637 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFW-000400-GP for submit@debbugs.gnu.org; Tue, 30 Jan 2024 08:34:03 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:48442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFO-0003yr-1s for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=pIScMdXFckbnj/r 3VrdTLXwNutinaJONMT2IVnzA2ug=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=RsDEZiyJkE/FhkWp5zWQ4AEIi32exaZed1oRK A0ESiVOxaYC9DnS3D00lzj/vp0Y8eOxTjtjfiSvPHXdO5ypRGbMu5tc8+xiGj/j9DchurO 7ATionsBVe6aS/HjEwghixFlkjQwyxc+kK5WlYmi+JSCwR5wCwwHwrASAlFd6T7s= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 64110594 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:27 +0000 (UTC) From: Carlo Zancanaro Date: Tue, 30 Jan 2024 13:26:37 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout. Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d --- doc/guix.texi | 26 +++++++++++++------------- gnu/services/certbot.scm | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index bb0af26d93..b134d45a16 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28135,7 +28135,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28846,8 +28846,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28965,12 +28965,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32685,7 +32685,7 @@ Certificate Services Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for -example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +example, @samp{"/etc/certs/example.com"}) containing the new certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. @@ -32694,8 +32694,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37381,9 +37381,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38508,9 +38508,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..3926d0551a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2021 Raghav Gururajan +;;; Copyright © 2024 Carlo Zancanaro ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ package webroot certificates email @@ -118,7 +148,8 @@ (define certbot-command `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +161,8 @@ (define certbot-command '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 2/4] services: certbot: Create self-signed certificates before certbot runs. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 13:35:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662164315395 (code B ref 46961); Tue, 30 Jan 2024 13:35:03 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 13:34:03 +0000 Received: from localhost ([127.0.0.1]:34639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFX-000408-4d for submit@debbugs.gnu.org; Tue, 30 Jan 2024 08:34:03 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:48442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFP-0003yr-OJ for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=6PJHct0hoFmSGXb br6e+/CnuqgTTgnRidsFK81/9tjQ=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=PuBpNEkxJA0RsvB13NA2sVNaJCL9ThbLE2M6o QVj2VVp4XvT35p6+JnamxfTmbp/dvRxiBBPXnf1nWoIOUS11BpuPpCbD+jAfYgRekod2r3 xUU4FF2WU1ehxUtaWLyqQF+VJhK3D7H0NEZ80Z/pYXkNJtHCEPDbtHwMQ4XThiiI= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id e67d731a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:27 +0000 (UTC) From: Carlo Zancanaro Date: Tue, 30 Jan 2024 13:26:38 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d --- doc/guix.texi | 6 ++++ gnu/services/certbot.scm | 62 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b134d45a16..58a65fe0b7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32690,6 +32690,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 3926d0551a..10b99f5630 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -35,6 +35,7 @@ (define-module (gnu services certbot) #:use-module (guix records) #:use-module (guix gexp) #:use-module (srfi srfi-1) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration @@ -64,7 +65,9 @@ (define-record-type* (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* certbot-configuration make-certbot-configuration @@ -91,7 +94,10 @@ (define-record-type* (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ name (primary-domain other-domains ...) + challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append + "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" + other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(when (not (file-exists? #$directory)) + ;; We generate self-signed certificates in /etc/certs/{domain}, + ;; because certbot is very sensitive to its directory + ;; structure. It refuses to write over the top of existing files, + ;; so we need to use a directory outside of its control. + ;; + ;; These certificates are overwritten by the certbot deploy hook + ;; the first time it successfully obtains a letsencrypt-signed + ;; certificate. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list)))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -198,6 +246,14 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(let ((rsa-key-size (and rsa-key-size + (number->string rsa-key-size)))) + (map (generate-certificate-gexp certbot-cert-directory + rsa-key-size) + (filter certificate-configuration-start-self-signed? + certificates))) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 3/4] services: certbot: Add a default deploy hook to reload nginx. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 13:35:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662164415402 (code B ref 46961); Tue, 30 Jan 2024 13:35:03 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 13:34:04 +0000 Received: from localhost ([127.0.0.1]:34641 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFX-00040G-N9 for submit@debbugs.gnu.org; Tue, 30 Jan 2024 08:34:04 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:48442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFR-0003yr-38 for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=+IVbxuFNV4gzCer CKJwKlBtHs5M9VdGs4Vx8gX7+aFg=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=rKQjjuacyRsbywmEvDSunmzCrqUK5IupedGeG WuhNJLJDHCvEu1sF6LAW61v/lbWkzUzZHU2GqjAI9d8rtWgEPlrvMJuMP3QM2ZhlieWkTZ md5MqBeWR30NAssaAh9xJEnmEpOPJ1b09P9wEVHhNDqK5VOr7ww7gYIFNcmCbuHc= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id b7629d1f (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:28 +0000 (UTC) From: Carlo Zancanaro Date: Tue, 30 Jan 2024 13:26:39 +0000 Message-ID: <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (%default-deploy-hook): New variable. ()[deploy-hook]: Use it as default deploy hook. * doc/guix.texi (Certificate services): Document new default deploy hook. Change-Id: Ibb10481170a6fda7df72492072b939dd6a6ad176 --- doc/guix.texi | 6 +++++- gnu/services/certbot.scm | 13 +++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 58a65fe0b7..0f372a460f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32681,7 +32681,7 @@ Certificate Services additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output of the @code{auth-hook} script. -@item @code{deploy-hook} (default: @code{#f}) +@item @code{deploy-hook} (default: @code{%default-deploy-hook}) Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for @@ -32690,6 +32690,10 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +The default deploy hook calls the @code{reload} action of the +@code{nginx} Shepherd service, to reload the newly generated +certificates. + @item @code{start-self-signed?} (default: @code{#t}) Whether to generate an initial self-signed certificate during system activation. This option is particularly useful to allow @code{nginx} to diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 10b99f5630..490b9e8d6d 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -37,7 +37,8 @@ (define-module (gnu services certbot) #:use-module (srfi srfi-1) #:use-module (ice-9 format) #:use-module (ice-9 match) - #:export (certbot-service-type + #:export (%default-deploy-hook + certbot-service-type certbot-configuration certbot-configuration? certificate-configuration)) @@ -49,6 +50,14 @@ (define-module (gnu services certbot) ;;; Code: +(define %default-deploy-hook + (program-file + "reload-nginx.scm" + (with-imported-modules '((gnu services herd)) + #~(begin + (use-modules (gnu services herd)) + (with-shepherd-action 'nginx ('reload) result result))))) + (define-record-type* certificate-configuration make-certificate-configuration certificate-configuration? @@ -65,7 +74,7 @@ (define-record-type* (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f)) + (default %default-deploy-hook)) (start-self-signed? certificate-configuration-start-self-signed? (default #t))) -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 4/4] services: certbot: Add one-shot service to renew certificates. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 13:35:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662164415408 (code B ref 46961); Tue, 30 Jan 2024 13:35:04 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 13:34:04 +0000 Received: from localhost ([127.0.0.1]:34643 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFY-00040N-4t for submit@debbugs.gnu.org; Tue, 30 Jan 2024 08:34:04 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:48456) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFS-0003yx-5D for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=gEe//OJ7nP5Hpxm 2WeAsTDEFM1cqlF07cM3xW/J+vog=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=lK+g1snvBC4FppC61H7uU/y/p36YBmafDJknp GXGXa395XK3DK40q68m9BBDPoGc5ARBq/IMiOktKtUGsZVA/gm9ASpGeUb10//DFndSYz0 9FrRsEZ/1hNPAPwR8Cf2GMNEjCTf9WKAsHxTjKd1eCFT2tWAUh8kj6jgu1CbYkS0= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id f3a74ae4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:28 +0000 (UTC) From: Carlo Zancanaro Date: Tue, 30 Jan 2024 13:26:40 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (certbot-renewal-one-shot): New procedure. (certbot-service-type)[extensions]: Add it to shepherd-root extension. (certbot-command): Make connection errors return a different exit code. (certbot-activation): Remove message with certificate renewal instructions. Change-Id: I614ac6214a753dba0396e2385a75926c8355caa1 --- gnu/services/certbot.scm | 77 +++++++++++++++++++++++++++++++++------- 1 file changed, 65 insertions(+), 12 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 490b9e8d6d..d6354c86d3 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -183,15 +183,37 @@ (define certbot-command (program-file "certbot-command" #~(begin - (use-modules (ice-9 match)) - (let ((code 0)) + (use-modules (ice-9 match) + (ice-9 textual-ports)) + + (define (file-contains? file string) + (string-contains (call-with-input-file file + get-string-all) + string)) + + (define (connection-error?) + (file-contains? "/var/log/letsencrypt/letsencrypt.log" + "Failed to establish a new connection")) + + (let ((script-code 0)) (for-each (match-lambda ((name . command) (begin (format #t "Acquiring or renewing certificate: ~a~%" name) - (set! code (or (apply system* command) code))))) - '#$commands) code))))))) + (unless (zero? (status:exit-val (apply system* command))) + ;; Certbot errors are always exit code 1, but we'd like + ;; to separate connection errors from other error types. + (if (connection-error?) + ;; If we have a connection error, then bail early + ;; with exit code 2. We don't expect this to + ;; resolve within the timespan of this script. + (exit 2) + ;; If we have any other type of error, then continue + ;; but exit with a failing status code in the end. + (set! script-code 1)))))) + '#$commands) + (exit script-code)))))))) (define (certbot-renewal-jobs config) (list @@ -200,6 +222,40 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (certbot-renewal-one-shot config) + (list + ;; Renew certificates when the system first starts. This is a one-shot + ;; service, because the mcron configuration will take care of running this + ;; periodically. This is most useful the very first time the system starts, + ;; to overwrite our self-signed certificates as soon as possible without + ;; user intervention. + (shepherd-service + (provision '(renew-certbot-certificates)) + (requirement '(nginx)) + (one-shot? #t) + (start #~(lambda _ + ;; This needs the network, but there's no reliable way to know + ;; if the network is up other than trying. If we fail due to a + ;; connection error we retry a number of times in the hope that + ;; the network comes up soon. + (let loop ((attempt 0)) + (let ((code (status:exit-val + (system* #$(certbot-command config))))) + (cond + ((and (= code 2) ; Exit code 2 means connection error + (< attempt 12)) ; 12 * 10 seconds = 2 minutes + (sleep 10) + (loop (1+ attempt))) + ((zero? code) + ;; Success! + #t) + (else + ;; Failure. + #f)))))) + (auto-start? #t) + (documentation "Call certbot to renew certificates.") + (actions (list (shepherd-configuration-action (certbot-command config))))))) + (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (match-lambda (($ name (primary-domain other-domains ...) @@ -243,9 +299,7 @@ (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") - (certbot-cert-directory "/etc/letsencrypt/live") - (script (in-vicinity certbot-directory "renew-certificates")) - (message (format #f (G_ "~a may need to be run~%") script))) + (certbot-cert-directory "/etc/letsencrypt/live")) (match config (($ package webroot certificates email server rsa-key-size default-location) @@ -261,10 +315,7 @@ (define (certbot-activation config) (map (generate-certificate-gexp certbot-cert-directory rsa-key-size) (filter certificate-configuration-start-self-signed? - certificates))) - - (copy-file #$(certbot-command config) #$script) - (display #$message))))))) + certificates))))))))) (define certbot-nginx-server-configurations (match-lambda @@ -297,7 +348,9 @@ (define certbot-service-type (service-extension activation-service-type certbot-activation) (service-extension mcron-service-type - certbot-renewal-jobs))) + certbot-renewal-jobs) + (service-extension shepherd-root-service-type + certbot-renewal-one-shot))) (compose concatenate) (extend (lambda (config additional-certificates) (certbot-configuration -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 14:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro , 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662620224485 (code B ref 46961); Tue, 30 Jan 2024 14:51:01 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 14:50:02 +0000 Received: from localhost ([127.0.0.1]:34771 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUpR3-0006Mm-LS for submit@debbugs.gnu.org; Tue, 30 Jan 2024 09:50:02 -0500 Received: from sail-ipv4.us-core.com ([208.82.101.137]:33134) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUpR1-0006MX-Cw for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 09:50:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=gTwnc+jkJj7jo0g 4hDWIX8y1GDQR5c4T94QCi280IE8=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=OFTgCUS+mygxE40uNQK53KMjXOnro57c8s9vyY6r 6tGDyBw9R794vfRkSkn8YQOkgTl+r5ktgNULaBqcu19XytxZjQUjHKLawzOXt9WI7rlD5B s72wK4wpMV+45y150AhFX9ja4Eoktwiu5AWGUijDpytB92gXZZlK4g7oCpUsA= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 65f0f24b (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Tue, 30 Jan 2024 14:49:49 +0000 (UTC) From: Felix Lechner In-Reply-To: References: Date: Tue, 30 Jan 2024 06:49:48 -0800 Message-ID: <875xzanaer.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Carlo, On Tue, Jan 30 2024, Carlo Zancanaro wrote: > certbot can't produce certificates without a functional nginx Yes, it can. The option is called --standalone. [1] Maybe another way to bootstrap the certificates would be to hold off on starting Nginx or Apache until all certificates are obtained? Anyway, that's what I do manually. Kind regards Felix [1] https://eff-certbot.readthedocs.io/en/latest/using.html#standalone From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 19:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, carlo@zancanaro.id.au, brice@waegenei.re, felix.lechner@lease-up.com X-Debbugs-Original-To: Felix Lechner via Bug reports for GNU Guix X-Debbugs-Original-Cc: guix-devel@gnu.org, Carlo Zancanaro , brice@waegenei.re, Felix Lechner , 46961@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.170664359813174 (code B ref -1); Tue, 30 Jan 2024 19:40:02 +0000 Received: (at submit) by debbugs.gnu.org; 30 Jan 2024 19:39:58 +0000 Received: from localhost ([127.0.0.1]:36892 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUtxe-0003QP-2x for submit@debbugs.gnu.org; Tue, 30 Jan 2024 14:39:58 -0500 Received: from lists.gnu.org ([2001:470:142::17]:40078) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUtxX-0003Ps-9f for submit@debbugs.gnu.org; Tue, 30 Jan 2024 14:39:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUtxE-0000LS-4A; Tue, 30 Jan 2024 14:39:33 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUtx8-0007d5-HC; Tue, 30 Jan 2024 14:39:30 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 29BFE3200BC8; Tue, 30 Jan 2024 14:39:20 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 30 Jan 2024 14:39:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1706643559; x=1706729959; bh=SldLg2fQhD dS+plxU2hjN/e6atb1eKndm6lYViYXAVA=; b=K9jAPJHZGPRLp6hMmbJmMPIdPP O+Ncwx/4n71W8g9qE0BjZgXAsCq4X9MPRwn3egTuEJtl3A+WuTqkeOxzJgA6OUwF Sw3I/l+zE1vLiLDllIGoNXQDPVolYT91MqzUbXeVcFwOhErkXzckTqKwJUXXNF+j D+0J3kmOVJRZF10MIL6yYDlVQnnGPEUOqarmbdoNnB8foWTlggaJf0JSqfBLC5ra w50jcjyhZOVUKSDTf72LmWQAD0ZTzydl2Il8WfpZwKmwfuufPmwOXp8W49mAgCOv b0cDjhUe/Hpki8fp84oLxAOBh8/uRjEnKLExPgJBJh4Ke+9x0X7/OngwupbQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1706643559; x=1706729959; bh=SldLg2fQhDdS+plxU2hjN/e6atb1 eKndm6lYViYXAVA=; b=qdB2LuFklW2zeDq0vu1QKw02nimjfP6aBks45Hb+y9mv IUlrKBLNUQaQMOAuppiMt+zw/fGfHQASHv+HqcjRovMo261RfNLAvAV/UxPPxYo1 mXI2hdEeoi9Zs8FQLeBcG/i102EIJtXthys22HJMjkSc2Rl0c8uSV9gVZMRpZZzL h+kW4njmISORFSaiEyBwNsZzZj1vibbTQOxNukhLzg9YGozriuplhfviX65ra57X qedzxhRmfvYskoGzylbzbqy0TGfiDyhskMUAWJfq2kF47W+C3Pz3+5yrIG1U4tkA iy8+WA8PbRlUNrw13JOFENDhaoNDmhy0uY+Xv16M9Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtjedgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkfgggtgesthdtredttderjeenucfhrhhomhepvehlrohm vghnthcunfgrshhsihgvuhhruceotghlvghmvghntheslhgrshhsihgvuhhrrdhorhhgqe enucggtffrrghtthgvrhhnpedvjeehffelgffhhffgvddtgfeggefhlefgheffudffgeek ffelheelieekudetheenucffohhmrghinheprhgvrgguthhhvgguohgtshdrihhonecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptghlvghmvghn theslhgrshhsihgvuhhrrdhorhhg X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 Jan 2024 14:39:16 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> (Felix Lechner via Bug reports for's message of "Tue, 30 Jan 2024 06:49:48 -0800") References: <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> Date: Tue, 30 Jan 2024 20:39:12 +0100 Message-ID: <8734uevcf3.fsf@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=64.147.123.19; envelope-from=clement@lassieur.org; helo=wout3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.6 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.4 (/) On Tue, Jan 30 2024, Felix Lechner via Bug reports for GNU Guix wrote: > Hi Carlo, > > On Tue, Jan 30 2024, Carlo Zancanaro wrote: > >> certbot can't produce certificates without a functional nginx > > Yes, it can. The option is called --standalone. [1] > > Maybe another way to bootstrap the certificates would be to hold off on > starting Nginx or Apache until all certificates are obtained? Yes but if we do this and there is no internet, nginx won't start right? Carlo's solution allows to have a working nginx even when certbot fails. (If I understand well) > Anyway, that's what I do manually. > > Kind regards > Felix > > [1] https://eff-certbot.readthedocs.io/en/latest/using.html#standalone From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 22:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Felix Lechner Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org, 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170665458231079 (code B ref 46961); Tue, 30 Jan 2024 22:44:01 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 22:43:02 +0000 Received: from localhost ([127.0.0.1]:37054 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUwon-00085A-Tj for submit@debbugs.gnu.org; Tue, 30 Jan 2024 17:43:02 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:51512) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUwom-00084i-98 for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 17:43:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=l4ZkU0dhbPdk/7E v9vcCSy+6J42yDo9cP1Sf0CCpuUU=; h=in-reply-to:date:subject:cc:to:from: references; d=zancanaro.id.au; b=Y9cxG5dPbqQ0G9RntEVwm9ZrZMFBruAIsgDQk 3Cqijdlwk66XXQslaqdc7ay+azv0r+uipiosnRvVImBEp6aVO0Ux4wTbAkiS4yeVIUQzft iIUIzoV3JAWxLVOEj3KuUNa99YwDxBxlwfqyfSXmR1BUWsM6ZJnLmrtr/YkspdA0= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 7c55dca9 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 22:42:32 +0000 (UTC) References: <875xzanaer.fsf@lease-up.com> User-agent: mu4e 1.10.8; emacs 29.1 From: Carlo Zancanaro Date: Wed, 31 Jan 2024 08:48:54 +1100 In-reply-to: <875xzanaer.fsf@lease-up.com> Message-ID: <87r0hyphni.fsf@zancanaro.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix, On Tue, Jan 30 2024, Felix Lechner wrote: > On Tue, Jan 30 2024, Carlo Zancanaro wrote: >> certbot can't produce certificates without a functional nginx > > Yes, it can. The option is called --standalone. [1] You are correct, of course. If I had been more precise I would=20 have said "with our current configuration, certbot can't produce=20 certificates without a functional nginx". > Maybe another way to bootstrap the certificates would be to hold=20 > off on starting Nginx or Apache until all certificates are=20 > obtained? This could work, but I see a few downsides. As Cl=C3=A9ment has already mentioned, this would make nginx dependent=20 on certbot. This causes problems for servers disconnected from the=20 general internet, but it also shifts complexity into the nginx=20 service without much benefit over the patch series I'm proposing.=20 We'd need to add more configuration on the nginx side to control=20 whether to delay startup based on whether we actually want=20 certificates. This would delay the startup of the whole nginx=20 process, even if some server configurations don't require new=20 certificates. For renewal, we would also have two options: (1) use --standalone,=20 and require a period of downtime for our web server; or (2) use=20 --webroot, and maintain two code paths for the two cases. I think=20 it's a bad idea for Guix to make a decision that requires downtime=20 of user systems if there's an alternative, so I don't like (1).=20 Maintaining two "similar but different" code paths for (2) doesn't=20 seem like a clear advantage over the patch series I'm proposing. > Anyway, that's what I do manually. I use the DNS challenge type, with hooks which automatically=20 create/remove DNS records. This solves all the problems I'm=20 bringing up (i.e. doesn't require nginx, doesn't involve downtime,=20 has a single code path), but I don't think Guix can assume that=20 all users have the ability to do this. My aim with this patch=20 series is to make the default certbot configuration work for the=20 common case of a simple web server, without manual intervention. Carlo From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Resent-From: Wojtek Kosior Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 00:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org, Felix Lechner , 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.17066594787228 (code B ref 46961); Wed, 31 Jan 2024 00:05:02 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 00:04:38 +0000 Received: from localhost ([127.0.0.1]:37155 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUy5l-0001sV-Pz for submit@debbugs.gnu.org; Tue, 30 Jan 2024 19:04:38 -0500 Received: from koszko.org ([93.95.227.159]:49038) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUy5j-0001sM-BE for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 19:04:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject :Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=S9WELKVl6xYZ3m3by8O2Ngl4Z3GSixh2GkO5Ug/SdZI=; b=xmhNz8exJx9l1gg4ZdauUhJt9K ULoJDRBe5ZnR177EmtWq60Nv9nl/IOO90/2ykI6Hefq1SazK6CUxcChYclkn3V1qtLEKGAXN8QFD8 oUA9NBl/a+rUATeSNtNNMdOiXJjfoGtbg9mtG7NGIybRA+HN4hSSVKz3LSBwBycmitR/340R54Lsz 8JxVMwSzLYS+xAiPqviZ8NraNGbSSO1iV4tZw8EfNmFhhdBqaAGQ3NPj+o4NOyQRcMc1Y3yD0bKjh AKZ7J0uPmdd0zoptH2VM37QeSA2NOVZXfxH34lUxYDuF8wxaMH5pNTwe+Cx4taMS+I2UNqPubNa7u ttFQcFJKOT9RT52+sO79X7jRCT8zLY4cqQbNsRfLy+UdgDAFLEv2SGoBbOq4zG6cjAvOCg1EvsiJZ ds02Ll7dftC4iO1xYfVH977wNPHu/IrGgjfia8vo+2O7caLn+mzElfPmRNz3LdfWTn8ugVhkiirky HveiV5lBdiC2u6CD3D+IdbTuEnW84oSywZO+LfvNgebGUoEQURxvKh8fp0kwZp7JuQIGRUqVt2GpS eTRKtlxIWEw0Xt0WUrMlwu1zS9k23OjNwte2GTv3bYkO3gp0MSbQ9Mql4/gMmaM4L0n7s3MDx9d4h EtWhPqVWgRaSXQv5SRC7Onamt4rg25J0B72Cw+Omc=; Received: from 78-11-235-220.static.ip.netia.com.pl ([78.11.235.220] helo=localhost) by koszko.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.1) (envelope-from ) id 1rUy5O-0007Tb-1f; Wed, 31 Jan 2024 01:04:14 +0100 Date: Wed, 31 Jan 2024 01:04:12 +0100 From: Wojtek Kosior Message-ID: <20240131010412.299d6a03.koszko@koszko.org> In-Reply-To: <87r0hyphni.fsf@zancanaro.id.au> References: <875xzanaer.fsf@lease-up.com> <87r0hyphni.fsf@zancanaro.id.au> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/VWt6fu+OTRQ=RDJNp5isi7l"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --Sig_/VWt6fu+OTRQ=RDJNp5isi7l Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I sympathize with your approach (I, too, have been supplementing Certbot with self-signed certs for some time). What would also be cool is not to have `certbot-service-type` depend on `nginx-service-type` in the first place. So that one can more easily use another HTTP server. It can of course be achieved with `remove-service-extensions` from `(gnu services)`, it's just less elegant than having it supported directly. Perhaps some variant of the "dependency inversion principle" would fit here? How about the following set of service types? - certbot-tool-service-type =E2=80=94 does what `certbot-service-type` used= to do until now except it doesn't extend `nginx-service-type` and can itself be extended with not just ``s but also `` - certbot/nginx-service-type =E2=80=94 takes in ``, extends both `certbot-tool-service-type` and `nginx-service-type` - certbot/httpd-service-type =E2=80=94 takes in ``, extends both `certbot-tool-service-type` and `httpd-service-type` - certbot-service-type =E2=80=94 deprecated, functions as an alias for `certbot/nginx-service-type` Your proposals are of course useful as well, regardless of this being done Best :) Wojtek -- (sig_start) website: https://koszko.org/koszko.html fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A follow me on Fediverse: https://friendica.me/profile/koszko/profile =E2=99=A5 R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ=3D=3D | =C3=B7 c2luIHNlcGFyYXR= lZCBtZSBmcm9tIEhpbQ=3D=3D =E2=9C=9D YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ=3D=3D | ? U2hhbGwgSSBiZWNvbWUg= SGlzIGZyaWVuZD8=3D -- (sig_end) On Wed, 31 Jan 2024 08:48:54 +1100 Carlo Zancanaro = wrote: > Hi Felix, >=20 > On Tue, Jan 30 2024, Felix Lechner wrote: > > On Tue, Jan 30 2024, Carlo Zancanaro wrote: =20 > >> certbot can't produce certificates without a functional nginx =20 > > > > Yes, it can. The option is called --standalone. [1] =20 >=20 > You are correct, of course. If I had been more precise I would=20 > have said "with our current configuration, certbot can't produce=20 > certificates without a functional nginx". >=20 > > Maybe another way to bootstrap the certificates would be to hold=20 > > off on starting Nginx or Apache until all certificates are=20 > > obtained? =20 >=20 > This could work, but I see a few downsides. >=20 > As Cl=C3=A9ment has already mentioned, this would make nginx dependent=20 > on certbot. This causes problems for servers disconnected from the=20 > general internet, but it also shifts complexity into the nginx=20 > service without much benefit over the patch series I'm proposing.=20 > We'd need to add more configuration on the nginx side to control=20 > whether to delay startup based on whether we actually want=20 > certificates. This would delay the startup of the whole nginx=20 > process, even if some server configurations don't require new=20 > certificates. >=20 > For renewal, we would also have two options: (1) use --standalone,=20 > and require a period of downtime for our web server; or (2) use=20 > --webroot, and maintain two code paths for the two cases. I think=20 > it's a bad idea for Guix to make a decision that requires downtime=20 > of user systems if there's an alternative, so I don't like (1).=20 > Maintaining two "similar but different" code paths for (2) doesn't=20 > seem like a clear advantage over the patch series I'm proposing. >=20 > > Anyway, that's what I do manually. =20 >=20 > I use the DNS challenge type, with hooks which automatically=20 > create/remove DNS records. This solves all the problems I'm=20 > bringing up (i.e. doesn't require nginx, doesn't involve downtime,=20 > has a single code path), but I don't think Guix can assume that=20 > all users have the ability to do this. My aim with this patch=20 > series is to make the default certbot configuration work for the=20 > common case of a simple web server, without manual intervention. >=20 > Carlo >=20 --Sig_/VWt6fu+OTRQ=RDJNp5isi7l Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTpcnBg48VjfIpPS0JLxSIcWnn9GgUCZbmOfAAKCRBLxSIcWnn9 GnphAP9fimVBSPwXO2DvCnpJwYYfd+D3DZEyCM/lAg8tuci9bAD/SZ9HNA/tAVNn rpdR8LN6Wtan37zPQuM+KArL20FxLQY= =COVG -----END PGP SIGNATURE----- --Sig_/VWt6fu+OTRQ=RDJNp5isi7l-- From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 00:30:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: brice@waegenei.re, 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.17066609839490 (code B ref 46961); Wed, 31 Jan 2024 00:30:01 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 00:29:43 +0000 Received: from localhost ([127.0.0.1]:37178 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUyU3-0002T0-F7 for submit@debbugs.gnu.org; Tue, 30 Jan 2024 19:29:43 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:47381) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUyU1-0002Sk-8f for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 19:29:42 -0500 Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.nyi.internal (Postfix) with ESMTP id 8EB985C00F9; Tue, 30 Jan 2024 19:29:26 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Tue, 30 Jan 2024 19:29:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1706660966; x=1706747366; bh=BFFf+8TnMhddHsAOvMoXfjzvCzteJ9JBw70lxTSnncQ=; b= e5ahRHdutRr+XIpCSkNgNUpcv2WpIMpI8ARo6nU+oQF2gTDADq7x5GIeyqDxKEzn vsvKO5qxSBlLVBdhBgyfmldSndmapNh28Vrv5YerIi3vJ6W5sI5/Z/wSBTWn3GRG bdCxtRmY5BRrm8BM2C6QKJy5nh9TJfmKHG/uG+xCS3Jcgzu6soKGP2V4LS746yiG tcXpuGpO1T8YhYOiGB41HEf4st7HzXtBJCi+A4rIGUIc7IT/0ohXG0wS+thFXI6s la3iua2AbfPrNin8bDQdmJI/ICxASsQ21wrfE7qL3U+Em48/y4LQF5QArFM9VvxG TnSq865hbvVylZkRgqrtmQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1706660966; x= 1706747366; bh=BFFf+8TnMhddHsAOvMoXfjzvCzteJ9JBw70lxTSnncQ=; b=B /kuGniSWk3sGjT8erDcx3F6UMX12HTm6OYsDuNu6RiYvReImQwHxTrazDnlQFN0o cutzvreVcMW/iFz9KDE9cQlrqo2xJVncrzn5MVmcl6p1cDAi7voReHEu4KCKkel9 EFytVUgZCvwvWzjW25WddAHNUmkJn+VUuAuffyGIbG5m82kBibjJz1abdMGB+Cu0 B4bMl8dD/wJ+/WLln1fnxdk4EWcZRqbL4aB03QFwrAednYHgOH+vLii/Ul5/UDMZ JDfl8FQHVbccCLPAlE60Pybo+3cEwl41bhbPjxlUtSx8tKw3Dz9Hoi8OsHkYWvmV oRApBLiLXCJhNo7LX/PuQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtkedgvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkfgggtgfgsehtqhertddtreejnecuhfhrohhmpeevlhor mhgvnhhtucfnrghsshhivghurhcuoegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh eqnecuggftrfgrthhtvghrnhepgeekheefffdtfeffueevkefgfffhtddugfdugeeugeev gfduteffudfgfefhjedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomheptghlvghmvghntheslhgrshhsihgvuhhrrdhorhhg X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 Jan 2024 19:29:24 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> (Carlo Zancanaro's message of "Tue, 30 Jan 2024 13:26:39 +0000") References: <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> Date: Wed, 31 Jan 2024 01:29:20 +0100 Message-ID: <8734uetkf3.fsf_-_@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) I removed guix-devel, not sure we need to spam it. On Tue, Jan 30 2024, Carlo Zancanaro wrote: > +(define %default-deploy-hook > + (program-file > + "reload-nginx.scm" > + (with-imported-modules '((gnu services herd)) > + #~(begin > + (use-modules (gnu services herd)) > + (with-shepherd-action 'nginx ('reload) result result))))) > + > (define-record-type* > certificate-configuration make-certificate-configuration > certificate-configuration? > @@ -65,7 +74,7 @@ (define-record-type* > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > - (default #f)) > + (default %default-deploy-hook)) > (start-self-signed? certificate-configuration-start-self-signed? > (default #t))) I'd reload within =E2=80=98certbot-deploy-hook=E2=80=99, between =E2=80=98r= ename-file=E2=80=99 and =E2=80=9C(if deploy-hook-script=E2=80=9D so that people don't get surprised, when they u= se a deploy-hook for unrelated reasons, that the nginx doesn't reload anymore. Plus, reloading nginx is harmless. From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 00:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: brice@waegenei.re, 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170666258112402 (code B ref 46961); Wed, 31 Jan 2024 00:57:02 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 00:56:21 +0000 Received: from localhost ([127.0.0.1]:37189 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUytp-0003Dy-5W for submit@debbugs.gnu.org; Tue, 30 Jan 2024 19:56:21 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59007) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUytk-0003Db-62 for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 19:56:19 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id E477C5C00F8; Tue, 30 Jan 2024 19:56:00 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 30 Jan 2024 19:56:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1706662560; x=1706748960; bh=k/p32RnTBR9NmPebvwecGOiRXw2rWI5zPu9HJZx7YLA=; b= kDBmNYsBMGtCmB1J/QWB0wvvsRLwYwGh3Ze6Tcb1cpyGN8GjWQopBqS5zfeDEV1P UrxpoXxjELcFDeZp2zgqBpzP/GH+K1JtsBFwlOKylbkzzvSpBfso8ujJsRLmXP36 /N80Y3jQTcDNLovB/wfn+Psk+wlaO1SLxkwn64tft0KXgzLiu00qSDjXHJFYtkgy /JGaZ4HY0SDQyWkVyZZ4usHoN9kCt1uabwyhbqtMOwiStoSqWku4cA5glK62Y8W2 sdRMmepUTOJI4WlxbtKvc/kXN1jgiN03Y/v3to2t0RYumVJPlMN4Gj6j5czqWlUl I1A0m2ozOdD8yQi3uFy2dQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1706662560; x= 1706748960; bh=k/p32RnTBR9NmPebvwecGOiRXw2rWI5zPu9HJZx7YLA=; b=O JGb3PAPnovCxuvY5AoGmZAezxRN3arMb7DXea3YcnAJajgvA98pLI1ZkVboJvTxw E0QHI0tMmjRpPcvJlUFGLT6T6DZTs8fO7pQSTsDnzJ0z3npbOwlz8el/TJ7nIGrH fySQqWEIiKf7cIhiGpXFpiQZSdzijVvnV8wqYsfGkLgrVt6kpjwANhoT9tZqizdq 8jBHXJdRmxf/NvwKAMi7nXiO5pSmy8iM8dIgELi5V+FPPvGBsjmM+Z7jI9pkmsYp c6+IHdlvBagq4GjBeT0mpfPBT4Pz9sMKg3tx+5e5whC+igYQDe/8UILrsoS0WUgW +pBX702qqGlG+tn9jTExA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtkedgvdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkfgggtgfgsehtqhertddtreejnecuhfhrohhmpeevlhor mhgvnhhtucfnrghsshhivghurhcuoegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh eqnecuggftrfgrthhtvghrnhepleekvefgteehlefgffeiteefgeeftdevgfdvtdfftefg keeghfffvdegieelheehnecuffhomhgrihhnpehgnhhurdhorhhgpdgvgigrmhhplhgvrd hnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep tghlvghmvghntheslhgrshhsihgvuhhrrdhorhhg X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 Jan 2024 19:55:59 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: (Carlo Zancanaro's message of "Tue, 30 Jan 2024 13:26:40 +0000") References: Date: Wed, 31 Jan 2024 01:55:56 +0100 Message-ID: <87zfwms4mb.fsf_-_@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Removing guix-devel. On Tue, Jan 30 2024, Carlo Zancanaro wrote: > + (define (file-contains? file string) > + (string-contains (call-with-input-file file > + get-string-all) > + string)) > + > + (define (connection-error?) > + (file-contains? "/var/log/letsencrypt/letsencrypt.log" > + "Failed to establish a new connection")) > + > + (let ((script-code 0)) > (for-each > (match-lambda > ((name . command) > (begin > (format #t "Acquiring or renewing certificate: ~a~%"= name) Here we could add =E2=80=98(force-output)=E2=80=99, because otherwise those= logs arrive after the certbot logs, and it's hard to understand anything. > - (set! code (or (apply system* command) code))))) > - '#$commands) code))))))) > + (unless (zero? (status:exit-val (apply system* comma= nd))) > + ;; Certbot errors are always exit code 1, but we'd= like > + ;; to separate connection errors from other error = types. > + (if (connection-error?) > + ;; If we have a connection error, then bail ea= rly > + ;; with exit code 2. We don't expect this to > + ;; resolve within the timespan of this script. Could we have a (log + force-output) here too? (I imagine within a =E2=80=98begin=E2=80=99) > + (exit 2) > + ;; If we have any other type of error, then co= ntinue > + ;; but exit with a failing status code in the = end. and here? > + (set! script-code 1)))))) And maybe a log also in case the command succeeds. (So that would mean to replace =E2=80=98unless=E2=80=99 with =E2=80=98if=E2=80=99). > + '#$commands) > + (exit script-code)))))))) >=20=20 > + (let loop ((attempt 0)) > + (let ((code (status:exit-val > + (system* #$(certbot-command config))))) > + (cond > + ((and (=3D code 2) ; Exit code 2 means connecti= on error > + (< attempt 12)) ; 12 * 10 seconds =3D 2 minutes ^------ This comment is not true because certbot takes time to execute (around 15s on my vm). I don't think there is a need to be that precise. Maybe you can just add in in the let form, as in (let ((code ...) (max-attempts 12)). > + (sleep 10) > + (loop (1+ attempt))) > + ((zero? code) > + ;; Success! > + #t) > + (else > + ;; Failure. > + #f)))))) Also could you update the example in the docs? >From the doc: >> @defvar certbot-service-type >> A service type for the @code{certbot} Let's Encrypt client. Its value >> must be a @code{certbot-configuration} record as in this example: >>=20 >> @lisp >> (define %certbot-deploy-hook >> (program-file "certbot-deploy-hook.scm" >> (with-imported-modules '((gnu services herd)) >> #~(begin >> (use-modules (gnu services herd)) >> (with-shepherd-action 'nginx ('reload) result result))))) ^ This part isn't useful anymore. However, we could add a nginx-service-type and a dhcp-client-service-type so that people have an idea of what the minimal config is, maybe like I did in my first review: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D46961#23. >> (service certbot-service-type >> (certbot-configuration >> (email "foo@@example.net") >> (certificates >> (list >> (certificate-configuration >> (domains '("example.net" "www.example.net")) >> (deploy-hook %certbot-deploy-hook)) >> (certificate-configuration >> (domains '("bar.example.net"))))))) >> @end lisp We are almost there, thanks! Cl=C3=A9ment From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v3 0/4] Make certbot play more nicely with nginx Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 11:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670183318247 (code B ref 46961); Wed, 31 Jan 2024 11:51:02 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 11:50:33 +0000 Received: from localhost ([127.0.0.1]:37572 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96u-0004kE-FU for submit@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:33 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:44696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96s-0004jy-24 for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=JvRQ15eUh/KLPd+ hLS6A7j/qk1fJV5ednYXGQCrbjQA=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=LSDxNq2GJQmaKoDJjQlsEdDeZcEVveiCkIjGY AjLInsYX36NOBXOUAcNQiXswpu3UpJeGNp9etYz9C7D9kCCUvIdrZFqYEsasADtVP7yl4k QCYIQMbMkCxFsq46NxM3FJfW8PpskoLJr9NGqcSX0uMpXapIs0jgDjDLdxanHmtg= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id fba203d1 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 11:50:02 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:46:21 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Carlo Zancanaro (4): services: certbot: Symlink certificates to /etc/certs. services: certbot: Create self-signed certificates before certbot runs. services: certbot: Reload nginx in deploy hook. services: certbot: Add one-shot service to renew certificates. doc/guix.texi | 40 ++++----- gnu/services/certbot.scm | 185 +++++++++++++++++++++++++++++++++++---- 2 files changed, 189 insertions(+), 36 deletions(-) base-commit: 7a45f7b9e1b34912ee087daf4014aa4f67b11bf0 -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 11:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670184018285 (code B ref 46961); Wed, 31 Jan 2024 11:51:02 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 11:50:40 +0000 Received: from localhost ([127.0.0.1]:37577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV972-0004kp-3v for submit@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:40 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:44696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96t-0004jy-Tp for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=4N/4pgzFDB5A7Ot NCEzYUlKr6jdVwuMdX9Bg+pRtx0o=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=iexG2tQbx6UOZLJ2ici9hwObdEexFgUgZA5fe bopvxBYN9fs5TD5WocR/qnqffhnN8MJIkJdIwFSYJw9plUnVAxiu4/k0+Bac2ozCjv8lCn nxaLrGnRM0KwXA2r7W9pQUuYUY/jDMJMKihA+J6En4lmGrDxF13f3Hln4qPNCwDc= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 6970bf08 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 11:50:02 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:46:22 +0000 Message-ID: <0388d0ea8bb3e112944698b3513e9819c77d69ea.1706701585.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout, except in the certbot deploy-hook description. Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d --- doc/guix.texi | 24 ++++++++++++------------ gnu/services/certbot.scm | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index bb0af26d93..97be37f9b5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28135,7 +28135,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28846,8 +28846,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28965,12 +28965,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32694,8 +32694,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37381,9 +37381,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38508,9 +38508,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..3926d0551a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2021 Raghav Gururajan +;;; Copyright © 2024 Carlo Zancanaro ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ package webroot certificates email @@ -118,7 +148,8 @@ (define certbot-command `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +161,8 @@ (define certbot-command '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 11:51:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670184118292 (code B ref 46961); Wed, 31 Jan 2024 11:51:03 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 11:50:41 +0000 Received: from localhost ([127.0.0.1]:37579 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV972-0004kt-PK for submit@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:41 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:46898) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96x-0004k6-Qe for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=ASaEcI+ijhVJbYw FoD/vIwYC13LeoPY59zHNXFaXWR4=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=ODW6K1eUftVWChmlW2Lnub3gx4nTSeLhUuvgC aaF/Tdug+32ZeCJDw9yqdl3mD2q3xPOnaM8uif9u7aCHpSBPU1Sm1yJ0sRJi2r3KxAoDhs MR/xC4zeW/KbgYZKTSXoJZgRH63apZHHMRBtib2JMrNV3lA5N7mTK2N3tvjasJXk= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 8d1c8e05 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 11:50:03 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:46:24 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (certbot-deploy-hook): Reload nginx. * doc/guix.texi (Certificate services): Remove deploy-hook from example. Change-Id: Ibb10481170a6fda7df72492072b939dd6a6ad176 --- I've pulled the nginx reloading into the regular deployment hook here. I also removed the explicit deploy hook in the documentation, because that is now the default behaviour. doc/guix.texi | 10 +--------- gnu/services/certbot.scm | 10 ++++++++-- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 732abceb0f..c71d7e94cf 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32562,21 +32562,13 @@ Certificate Services must be a @code{certbot-configuration} record as in this example: @lisp -(define %certbot-deploy-hook - (program-file "certbot-deploy-hook.scm" - (with-imported-modules '((gnu services herd)) - #~(begin - (use-modules (gnu services herd)) - (with-shepherd-action 'nginx ('reload) result result))))) - (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net")) - (deploy-hook %certbot-deploy-hook)) + (domains '("example.net" "www.example.net"))) (certificate-configuration (domains '("bar.example.net"))))))) @end lisp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 10b99f5630..cb1be0c0e9 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -100,9 +100,11 @@ (define (certbot-deploy-hook name deploy-hook-script) deploy." (program-file (string-append name "-deploy-hook") - (with-imported-modules '((guix build utils)) + (with-imported-modules '((gnu services herd) + (guix build utils)) #~(begin - (use-modules (guix build utils)) + (use-modules (gnu services herd) + (guix build utils)) (mkdir-p #$(string-append "/etc/certs/" name)) (chmod #$(string-append "/etc/certs/" name) #o755) @@ -120,6 +122,10 @@ (define (certbot-deploy-hook name deploy-hook-script) #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") #$(string-append "/etc/certs/" name "/fullchain.pem")) + + ;; With the new certificates in place, tell nginx to reload them. + (with-shepherd-action 'nginx ('reload) result result) + #$@(if deploy-hook-script (list #~(invoke #$deploy-hook-script)) '()))))) -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 11:51:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670184218300 (code B ref 46961); Wed, 31 Jan 2024 11:51:03 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 11:50:42 +0000 Received: from localhost ([127.0.0.1]:37581 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV973-0004kz-69 for submit@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:41 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:44696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96v-0004jy-SB for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=oZ+bXOYVG1Q+K+T hC7CBgVBGXFvUk++38QnQewKqEjo=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=GK3yWkrna7AlLxbiWVR0PvaMkfbZfZ8G7mfXO s6H4neSpjgmVHF6GTuIvUj3GmZeFgmCOArT28YMOlPLgLfsqz2ziJTNA6+R8TU3ADiv2pZ S/7k6hQCJC7QZA6TAh9FrtYkVP0nImZwcjlxIgrgMeJlXnPSjxTSV/p/bucqjUJ8= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id b9f9411d (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 11:50:03 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:46:23 +0000 Message-ID: <9a64f8740e07717adb373f5ce3099bf325ff9661.1706701585.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d --- doc/guix.texi | 6 ++++ gnu/services/certbot.scm | 62 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 97be37f9b5..732abceb0f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32690,6 +32690,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 3926d0551a..10b99f5630 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -35,6 +35,7 @@ (define-module (gnu services certbot) #:use-module (guix records) #:use-module (guix gexp) #:use-module (srfi srfi-1) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration @@ -64,7 +65,9 @@ (define-record-type* (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* certbot-configuration make-certbot-configuration @@ -91,7 +94,10 @@ (define-record-type* (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ name (primary-domain other-domains ...) + challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append + "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" + other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(when (not (file-exists? #$directory)) + ;; We generate self-signed certificates in /etc/certs/{domain}, + ;; because certbot is very sensitive to its directory + ;; structure. It refuses to write over the top of existing files, + ;; so we need to use a directory outside of its control. + ;; + ;; These certificates are overwritten by the certbot deploy hook + ;; the first time it successfully obtains a letsencrypt-signed + ;; certificate. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list)))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -198,6 +246,14 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(let ((rsa-key-size (and rsa-key-size + (number->string rsa-key-size)))) + (map (generate-certificate-gexp certbot-cert-directory + rsa-key-size) + (filter certificate-configuration-start-self-signed? + certificates))) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 11:51:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670184218306 (code B ref 46961); Wed, 31 Jan 2024 11:51:04 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 11:50:42 +0000 Received: from localhost ([127.0.0.1]:37583 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV973-0004l6-Q6 for submit@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:42 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:46898) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96z-0004k6-Do for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=r83O6ubSTO0By19 13BBCRhbw1fi5C9HJ8O0rVZb7/Jw=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=LD8drruRbdlUu6h5P/mvrlqbUkguSR70FFEIH HxbQHlZFl6rT7gpRIjdprh1rQKT3WiY3fNYohaKhNtak+lD01+I5JK36zNHyHeX9aA3vVz t3ZoMUAiE46PVOlHCzb9Wmfzx/aubkcYl7yf62hzY2I6K/kRZzVBRiZ4y9QFFcPE= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 77e12bd2 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 11:50:03 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:46:25 +0000 Message-ID: <4674088538cb55d20978f5cff9fe8820e9171bf1.1706701585.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/certbot.scm (certbot-renewal-one-shot): New procedure. (certbot-service-type)[extensions]: Add it to shepherd-root extension. (certbot-command): Make connection errors return a different exit code. (certbot-activation): Remove message with certificate renewal instructions. Change-Id: I614ac6214a753dba0396e2385a75926c8355caa1 --- I've added some more logging here, and removed the comments that implied that we expected the length of time for the retries to be bounded. gnu/services/certbot.scm | 89 +++++++++++++++++++++++++++++++++------- 1 file changed, 75 insertions(+), 14 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index cb1be0c0e9..f287c8367f 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -180,15 +180,45 @@ (define certbot-command (program-file "certbot-command" #~(begin - (use-modules (ice-9 match)) - (let ((code 0)) + (use-modules (ice-9 match) + (ice-9 textual-ports)) + + (define (log format-string . args) + (apply format #t format-string args) + (force-output)) + + (define (file-contains? file string) + (string-contains (call-with-input-file file + get-string-all) + string)) + + (define (connection-error?) + ;; Certbot errors are always exit code 1, so we need to look at + ;; the log file to see if there was a connection error. + (file-contains? "/var/log/letsencrypt/letsencrypt.log" + "Failed to establish a new connection")) + + (let ((script-code 0)) (for-each (match-lambda ((name . command) - (begin - (format #t "Acquiring or renewing certificate: ~a~%" name) - (set! code (or (apply system* command) code))))) - '#$commands) code))))))) + (log "Acquiring or renewing certificate: ~a~%" name) + (cond + ((zero? (status:exit-val (apply system* command))) + (log "Certificate successfully acquired: ~a~%" name)) + ((connection-error?) + ;; If we have a connection error, then bail early with + ;; exit code 2. We don't expect this to resolve within the + ;; timespan of this script. + (log "Connection error - bailing out~%") + (exit 2)) + (else + ;; If we have any other type of error, then continue but + ;; exit with a failing status code in the end. + (log "Error: ~a - continuing with other domains~%" name) + (set! script-code 1))))) + '#$commands) + (exit script-code)))))))) (define (certbot-renewal-jobs config) (list @@ -197,6 +227,40 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (certbot-renewal-one-shot config) + (list + ;; Renew certificates when the system first starts. This is a one-shot + ;; service, because the mcron configuration will take care of running this + ;; periodically. This is most useful the very first time the system starts, + ;; to overwrite our self-signed certificates as soon as possible without + ;; user intervention. + (shepherd-service + (provision '(renew-certbot-certificates)) + (requirement '(nginx)) + (one-shot? #t) + (start #~(lambda _ + ;; This needs the network, but there's no reliable way to know + ;; if the network is up other than trying. If we fail due to a + ;; connection error we retry a number of times in the hope that + ;; the network comes up soon. + (let loop ((attempt 0)) + (let ((code (status:exit-val + (system* #$(certbot-command config))))) + (cond + ((and (= code 2) ; Exit code 2 means connection error + (< attempt 12)) ; Arbitrarily chosen max attempts + (sleep 10) ; Arbitrarily chosen retry delay + (loop (1+ attempt))) + ((zero? code) + ;; Success! + #t) + (else + ;; Failure. + #f)))))) + (auto-start? #t) + (documentation "Call certbot to renew certificates.") + (actions (list (shepherd-configuration-action (certbot-command config))))))) + (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (match-lambda (($ name (primary-domain other-domains ...) @@ -240,9 +304,7 @@ (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") - (certbot-cert-directory "/etc/letsencrypt/live") - (script (in-vicinity certbot-directory "renew-certificates")) - (message (format #f (G_ "~a may need to be run~%") script))) + (certbot-cert-directory "/etc/letsencrypt/live")) (match config (($ package webroot certificates email server rsa-key-size default-location) @@ -258,10 +320,7 @@ (define (certbot-activation config) (map (generate-certificate-gexp certbot-cert-directory rsa-key-size) (filter certificate-configuration-start-self-signed? - certificates))) - - (copy-file #$(certbot-command config) #$script) - (display #$message))))))) + certificates))))))))) (define certbot-nginx-server-configurations (match-lambda @@ -294,7 +353,9 @@ (define certbot-service-type (service-extension activation-service-type certbot-activation) (service-extension mcron-service-type - certbot-renewal-jobs))) + certbot-renewal-jobs) + (service-extension shepherd-root-service-type + certbot-renewal-one-shot))) (compose concatenate) (extend (lambda (config additional-certificates) (certbot-configuration -- 2.41.0 From unknown Tue Jun 17 01:49:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 12:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Cc: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670259819628 (code B ref 46961); Wed, 31 Jan 2024 12:04:01 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 12:03:18 +0000 Received: from localhost ([127.0.0.1]:37615 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV9JG-00056W-9l for submit@debbugs.gnu.org; Wed, 31 Jan 2024 07:03:18 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:35932) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV9JD-00056G-7M for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 07:03:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=r4s6ixliRqMTc/g pRNhy7TpCzl8CLlX7ToifweNJ54s=; h=in-reply-to:date:subject:cc:to:from: references; d=zancanaro.id.au; b=eWZ8YGawaLyxKjNxSdl6IgvP4Hlc05dcormMa TjTrGSX+wCrJso0emyFERjLgTV/4EHoKWoWYeeRqi3Lre3rpCzCdzsvPc2YdGRufolh37k WDVty1AKRw1TJySg1WlXc2cVmk5Bvx3sO1y9EiJGR71zIgu1u9NaKHzCJXpLi020= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 76179673 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 12:02:47 +0000 (UTC) References: <87zfwms4mb.fsf_-_@lassieur.org> User-agent: mu4e 1.10.8; emacs 29.1 From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:50:23 +0000 In-reply-to: <87zfwms4mb.fsf_-_@lassieur.org> Message-ID: <87v879oglq.fsf@zancanaro.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Wed, Jan 31 2024, Cl=C3=A9ment Lassieur wrote: > Removing guix-devel. I've also removed Brice. > On Tue, Jan 30 2024, Carlo Zancanaro wrote: >> (format #t "Acquiring or renewing=20 >> certificate: ~a~%" name) > > Here we could add =E2=80=98(force-output)=E2=80=99, because otherwise tho= se logs=20 > arrive > after the certbot logs, and it's hard to understand anything. Done. >> + ;; If we have a connection error,=20 >> then bail early >> + ;; with exit code 2. We don't expect=20 >> this to >> + ;; resolve within the timespan of=20 >> this script. > > Could we have a (log + force-output) here too? (I imagine=20 > within a > =E2=80=98begin=E2=80=99) Done. >> + ;; If we have any other type of=20 >> error, then continue >> + ;; but exit with a failing status=20 >> code in the end. > > and here? Done. > And maybe a log also in case the command succeeds. (So that=20 > would mean > to replace =E2=80=98unless=E2=80=99 with =E2=80=98if=E2=80=99). Done. >> + (< attempt 12)) ; 12 * 10 seconds =3D=20 >> 2 minutes > ^------ > This comment is not true because certbot takes time to execute=20 > (around 15s on my vm). I don't think there is a need to be that=20 > precise. I haven't extracted/named the max-attempts value, but I have=20 removed the comments that imply that the time frame is bounded. > Also could you update the example in the docs? I have removed the %certbot-deploy-hook in the example in the=20 manual. > ... However, we could add a nginx-service-type and a=20 > dhcp-client-service-type so that people have an idea of what the=20 > minimal config is, maybe like I did in my first review:=20 > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D46961#23. I have not added this. I understand the desire, but I'm wary of=20 providing an example that's "too involved". The current example=20 demonstrates a minimal config of certbot itself. I think you are=20 looking to include an example of a minimal system that hosts a=20 website using certbot provided certificates. I don't know where an=20 example like that belongs, but I'm not yet convinced it belongs in=20 the certbot service documentation. Carlo From unknown Tue Jun 17 01:49:18 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Brice Waegeneire Subject: bug#46961: closed (Re: bug#46961: Nginx and certbot cervices don't play well togther) Message-ID: References: <87sf2debqo.fsf@lassieur.org> <87pn0cy9yv.fsf@waegenei.re> X-Gnu-PR-Message: they-closed 46961 X-Gnu-PR-Package: guix Reply-To: 46961@debbugs.gnu.org Date: Wed, 31 Jan 2024 15:59:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1706716741-2069-1" This is a multi-part message in MIME format... ------------=_1706716741-2069-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #46961: Nginx and certbot cervices don't play well togther which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 46961@debbugs.gnu.org. --=20 46961: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D46961 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1706716741-2069-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 46961-done) by debbugs.gnu.org; 31 Jan 2024 15:58:30 +0000 Received: from localhost ([127.0.0.1]:38936 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rVCyr-0000Wa-MX for submit@debbugs.gnu.org; Wed, 31 Jan 2024 10:58:30 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:38389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rVCyp-0000WJ-I1 for 46961-done@debbugs.gnu.org; Wed, 31 Jan 2024 10:58:28 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id B2F965C0106; Wed, 31 Jan 2024 10:58:11 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Wed, 31 Jan 2024 10:58:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1706716691; x=1706803091; bh=ptD3IG8/y+BbkqTggdFv0ZMmeRx7G5cAudau1MxVn1g=; b= dO/uG5ljkGOvGXAr2y0esjCrJaVpHda1nJoLYuDpNjMmcotxruSyPsLlCpw97cuA PtBJ+cEvQgbMpsRzPT41cjdDwIHn/s804U16lzfH21axbVBKogwWX3i5zEPQiD32 rJCK9esYvFZzv5FDx9Non4dw8tzEr0KuHg0jgrTq9y3s4BMLiM8Xy/lt6J4oV/zH 7FMaVhiNOT7+0uViUsKbF6/o5PW0wmb1EE1C3RqWBXsH3FpWgAFykMNKmIcVaoQ6 SlLSDZrY7lqEmTDeUGWFxaF+1V3TEbcT/Bj1gfQUkk5pk+vw2jnRQ2yQRBUWxngt PNonbkzXDFUKotcXEv0qqw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1706716691; x= 1706803091; bh=ptD3IG8/y+BbkqTggdFv0ZMmeRx7G5cAudau1MxVn1g=; b=r hy1wulAhOPyzW9YNfE+k6slymXMcWGES8cCxB9GymDJijaW1G5ib4t+VBOZlhtfS A/eR5x0gyY82Zqu7NqS+UddTaRua239fGsiVqcGqhZa2f/wKF4Svdgd9HojH1A2a UlRPHMBmZZwS3XDA9MkbuI0BZe5CwobSZQBCHEjjDkWhQIZwqTr/dkJ3mSyLJ3QJ o6V3IjYTL/21yDUNZxTkBlegVijDEC6fdpKEHljj+Qdjct31gHyi71C5VIZZXGXV +G3StalXeHgg/9rvJbwP9E9wi3Lk1DSnX+O0V32EaN89dVSEMH5pfI1lUAmjxBuz xElWihA1gnmG17tSogn6A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtledgkedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkfgggtgfgsehtqhertddtreejnecuhfhrohhmpeevlhor mhgvnhhtucfnrghsshhivghurhcuoegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh eqnecuggftrfgrthhtvghrnhepieduueehveeitdelleehieevuddtjefgvefhvdetvddu lefhtdehvddvtdeiheeknecuffhomhgrihhnpehgnhhurdhorhhgnecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptghlvghmvghntheslhgrshhs ihgvuhhrrdhorhhg X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 31 Jan 2024 10:58:10 -0500 (EST) From: =?utf-8?Q?Cl=C3=A9ment_Lassieur?= To: Carlo Zancanaro Subject: Re: bug#46961: Nginx and certbot cervices don't play well togther In-Reply-To: <87v879oglq.fsf@zancanaro.id.au> (Carlo Zancanaro's message of "Wed, 31 Jan 2024 11:50:23 +0000") References: <87zfwms4mb.fsf_-_@lassieur.org> <87v879oglq.fsf@zancanaro.id.au> Date: Wed, 31 Jan 2024 16:58:07 +0100 Message-ID: <87sf2debqo.fsf@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46961-done Cc: 46961-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Wed, Jan 31 2024, Carlo Zancanaro wrote: >>> + (< attempt 12)) ; 12 * 10 seconds =3D 2 minu= tes >> ^------ >> This comment is not true because certbot takes time to execute (around 1= 5s >> on my vm). I don't think there is a need to be that precise. > > I haven't extracted/named the max-attempts value, but I have removed the > comments that imply that the time frame is bounded. Ok >> Also could you update the example in the docs? > > I have removed the %certbot-deploy-hook in the example in the manual. > >> ... However, we could add a nginx-service-type and a >> dhcp-client-service-type so that people have an idea of what the minimal >> config is, maybe like I did in my first review: >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D46961#23. > > I have not added this. I understand the desire, but I'm wary of providing= an > example that's "too involved". The current example demonstrates a minimal > config of certbot itself. I think you are looking to include an example o= f a > minimal system that hosts a website using certbot provided certificates. I > don't know where an example like that belongs, but I'm not yet convinced = it > belongs in the certbot service documentation. Sounds good Pushed, thank you! Cl=C3=A9ment ------------=_1706716741-2069-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 6 Mar 2021 08:15:18 +0000 Received: from localhost ([127.0.0.1]:35958 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIS5m-0005dB-BE for submit@debbugs.gnu.org; Sat, 06 Mar 2021 03:15:18 -0500 Received: from lists.gnu.org ([209.51.188.17]:35888) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIS5k-0005d4-G2 for submit@debbugs.gnu.org; Sat, 06 Mar 2021 03:15:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49890) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIS5k-0005Ky-6N; Sat, 06 Mar 2021 03:15:16 -0500 Received: from relay13.mail.gandi.net ([217.70.178.233]:36953) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIS5h-0000rW-Kz; Sat, 06 Mar 2021 03:15:15 -0500 Received: from localhost (i15-les02-ntr-176-181-186-101.sfr.lns.abo.bbox.fr [176.181.186.101]) (Authenticated sender: brice@waegenei.re) by relay13.mail.gandi.net (Postfix) with ESMTPSA id 06F1F8000B; Sat, 6 Mar 2021 08:15:07 +0000 (UTC) From: Brice Waegeneire To: bug-guix@gnu.org Subject: Nginx and certbot cervices don't play well togther Date: Sat, 06 Mar 2021 09:15:04 +0100 Message-ID: <87pn0cy9yv.fsf@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=217.70.178.233; envelope-from=brice@waegenei.re; helo=relay13.mail.gandi.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: submit Cc: guix-devel@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Hello Guix, After an suggestion from Tobias to give a try at forcing HTTPS for Guix's websites on berlin, I had a go at it but it was more complex that what I was expecting. Looking deeper at nginx and certbot services it appear both services don't play that well together, requering a inital dance when deploying a new HTTPS virtual server. As explained in #36389=C2= =B9 you need to: =C2=AB - run system configuration with just the certbot service - use certbot to generate your initial certificates - reconfigure with additional nginx server configuration, pointing to the SSL certificates created by certbot =C2=BB Indeed, with an operating-system continaing the following services it's impossible to sart Nginx and Certbot at once as one would expect: --8<---------------cut here---------------start------------->8--- (service nginx-service-type) (service php-fpm-service-type) (service certbot-service-type (certbot-configuration (certificates (list (certificate-configuration (domains '("test.sama.re")) (deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx= .pid" read))) (kill pid SIGHUP))))))))) (cat-avatar-generator-service #:configuration (nginx-server-configuration (listen '("443 ssl")) (server-name '("test.sama.re")) (ssl-certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/test.sama.re/privkey.pem"))) --8<---------------cut here---------------end--------------->8--- Here is the error from reconfiguring the system: --8<---------------cut here---------------start------------->8--- # guix system reconfigure /etc/config.sm [...] building /gnu/store/55cq2ja4i5489s55viv9fh50032d1ziy-switch-to-system.scm.d= rv... making '/gnu/store/p2rkcmrnpls5py7x2iappf2qcbxwlb95-system' the current sys= tem... setting up setuid programs in '/run/setuid-programs'... populating /etc from /gnu/store/k2kb8hsq3q0dhhad4a9pjh4kx32mn4g0-etc... /var/lib/certbot/renew-certificates may need to be run creating nginx log directory '/var/log/nginx' creating nginx run directory '/var/run/nginx' creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,= uwsgi,scgi}_temp' nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/test.sama.re/= fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:f= open:No such file or directory:fopen('/etc/letsencrypt/live/test.sama.re/fu= llchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx= .conf test failed `/gnu/store/jyxc290q7jyhhpalski0h13h8z9zvnka-openssh-authorized-keys/bricew= ge' -> `/etc/ssh/authorized_keys.d/bricewge' The following derivation will be built: /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv building /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm= .drv... guix system: bootloader successfully installed on '/dev/sda' The following derivation will be built: /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.sc= m.drv building /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-servi= ces.scm.drv... shepherd: Removing service 'dbus-system'... shepherd: Service dbus-system has been stopped. shepherd: Done. shepherd: Service host-name has been started. shepherd: Service user-homes has been started. shepherd: Service host-name has been started. shepherd: Service term-auto could not be started. shepherd: Service php-fpm has been started. guix system: warning: exception caught while executing 'start' on service '= nginx': Throw to key `%exception' with args `("#<&invoke-error program: \"/gnu/stor= e/hn1mvgafkpf5knrnzvwpgpdlzmq553al-nginx-1.19.6/sbin/nginx\" arguments: (\"= -c\" \"/gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf\" \"-p\" \"/v= ar/run/nginx\") exit-status: 1 term-signal: #f stop-signal: #f>")'. guix system: warning: some services could not be upgraded hint: To allow changes to all the system services to take effect, you will = need to reboot. --8<---------------cut here---------------end--------------->8--- What happen is Nginx won't start because the certficate related files present in it's configuration doesn't exist and we can't get a Let's Encrypt certificate from a HTTP-01 challenge without that web server running. NixOS broke that chicken and egg problem by generating a self-signed certificate first, after that starting nginx, then requesting a valid Lets' Encrypt certificate and finally reloading Nginx. That way we end up with a Nginx server using Let's Encrypt certificate with no more that a simple system reconfiguration. Note that, the initial self-signed certificate will need to be at the path were certbot will put it's own certificate. WDYT? =C2=B9 https://bugs.gnu.org/36389 Cheers, - Brice ------------=_1706716741-2069-1--