From unknown Tue Aug 19 14:22:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#50872: Prosody service + letsencrypt certs improvements Resent-From: Christine Lemmer-Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 28 Sep 2021 17:18:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 50872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 50872@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16328494292743 (code B ref -1); Tue, 28 Sep 2021 17:18:01 +0000 Received: (at submit) by debbugs.gnu.org; 28 Sep 2021 17:17:09 +0000 Received: from localhost ([127.0.0.1]:46888 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVGj7-0000iB-A5 for submit@debbugs.gnu.org; Tue, 28 Sep 2021 13:17:09 -0400 Received: from lists.gnu.org ([209.51.188.17]:52804) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVGj6-0000i4-Db for submit@debbugs.gnu.org; Tue, 28 Sep 2021 13:17:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47304) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mVGj5-0004fi-VO for bug-guix@gnu.org; Tue, 28 Sep 2021 13:17:08 -0400 Received: from dustycloud.org ([50.116.34.160]:38546) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mVGj4-0006s9-BF for bug-guix@gnu.org; Tue, 28 Sep 2021 13:17:07 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id BB70B26663 for ; Tue, 28 Sep 2021 13:17:04 -0400 (EDT) User-agent: mu4e 1.6.6; emacs 27.2 From: Christine Lemmer-Webber Date: Tue, 28 Sep 2021 13:01:31 -0400 Message-ID: <87h7e4tyb3.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=50.116.34.160; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) I finally got prosody working on my server using Guix. However, the manual says: Prosodyctl will also help you to import certificates from the =E2=80=98letsencrypt=E2=80=99 directory so that the =E2=80=98prosody=E2= =80=99 user can access them. See . prosodyctl --root cert import /etc/letsencrypt/live However, what prosody actually does with this command is that it copies the files from letsencrypt *over to* its own directory (but then also restarts prosody... in theory). According to the docs: This command can be put in cron or passed as a callback to automated certificate renewal programs such as certbot or other Let's Encrypt clients. For more information on using Prosody with these, see our Let's Encrypt page. Hm, in other words we really ought to run this attached to some hook related to the letsencrypt services... when they renew successfully, it should trigger this command, I'd think. We do similar things for nginx, etc... Thoughts? Does this seem right? - Christine From unknown Tue Aug 19 14:22:21 2025 X-Loop: help-debbugs@gnu.org Subject: bug#50872: Prosody service + letsencrypt certs improvements Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 29 Sep 2021 21:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 50872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christine Lemmer-Webber Cc: 50872@debbugs.gnu.org X-Debbugs-Original-Cc: bug-guix@gnu.org, 50872@debbugs.gnu.org Received: via spool by 50872-submit@debbugs.gnu.org id=B50872.163295057729091 (code B ref 50872); Wed, 29 Sep 2021 21:23:02 +0000 Received: (at 50872) by debbugs.gnu.org; 29 Sep 2021 21:22:57 +0000 Received: from localhost ([127.0.0.1]:50479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVh2X-0007Z9-BO for submit@debbugs.gnu.org; Wed, 29 Sep 2021 17:22:57 -0400 Received: from zancanaro.com.au ([45.76.117.151]:36618) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVh2T-0007Yz-Nu for 50872@debbugs.gnu.org; Wed, 29 Sep 2021 17:22:55 -0400 Received: by zancanaro.com.au (Postfix, from userid 116) id CB95D35BE4; Wed, 29 Sep 2021 21:22:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on vultr X-Spam-Level: X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from golem (n114-78-12-98.bla3.nsw.optusnet.com.au [114.78.12.98]) by zancanaro.com.au (Postfix) with ESMTPSA id 0008B35BE2; Wed, 29 Sep 2021 21:22:50 +0000 (UTC) References: <87h7e4tyb3.fsf@dustycloud.org> User-agent: mu4e 1.6.3; emacs 27.2 From: Carlo Zancanaro Date: Thu, 30 Sep 2021 07:06:31 +1000 Message-ID: <87zgrv13hp.fsf@zancanaro.id.au> In-reply-to: <87h7e4tyb3.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Christine, On Tue, Sep 28 2021, Christine Lemmer-Webber wrote: > Hm, in other words we really ought to run this attached to some > hook related to the letsencrypt services... when they renew > successfully, it should trigger this command, I'd think. We do > similar things for nginx, etc... I'm pretty sure Guix doesn't do anything automatic when certificates are renewed. For nginx there's an example in the manual for how to set up a deploy hook to reload the certificates[1], so I expect that you'll have to set up something similar. My prosody setup has this deploy hook: (program-file "reload-certificates" #~(let ((prosodyctl (string-append #$(specification->package "prosody") "/bin/prosodyctl"))) (system* prosodyctl "--root" "cert" "import" "/etc/letsencrypt/live") (system* prosodyctl "reload"))) but I have recently had some trouble with it (prosody hasn't been reloading the certificate properly). I don't think my issue is related to this deploy hook, though. I hope that helps! Carlo [1]: https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html From unknown Tue Aug 19 14:22:21 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Christine Lemmer-Webber Subject: bug#50872: closed (Re: bug#50872: Prosody service + letsencrypt certs improvements) Message-ID: References: <87fstnosjv.fsf@dustycloud.org> <87h7e4tyb3.fsf@dustycloud.org> X-Gnu-PR-Message: they-closed 50872 X-Gnu-PR-Package: guix Reply-To: 50872@debbugs.gnu.org Date: Wed, 29 Sep 2021 23:45:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1632959102-11646-1" This is a multi-part message in MIME format... ------------=_1632959102-11646-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #50872: Prosody service + letsencrypt certs improvements which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 50872@debbugs.gnu.org. --=20 50872: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D50872 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1632959102-11646-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 50872-done) by debbugs.gnu.org; 29 Sep 2021 23:44:56 +0000 Received: from localhost ([127.0.0.1]:50977 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVjFw-000319-8M for submit@debbugs.gnu.org; Wed, 29 Sep 2021 19:44:56 -0400 Received: from dustycloud.org ([50.116.34.160]:58044) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVjFt-00030u-B3 for 50872-done@debbugs.gnu.org; Wed, 29 Sep 2021 19:44:53 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id A634126663; Wed, 29 Sep 2021 19:44:52 -0400 (EDT) References: <87h7e4tyb3.fsf@dustycloud.org> <87zgrv13hp.fsf@zancanaro.id.au> User-agent: mu4e 1.6.6; emacs 27.2 From: Christine Lemmer-Webber To: Carlo Zancanaro Subject: Re: bug#50872: Prosody service + letsencrypt certs improvements Date: Wed, 29 Sep 2021 19:43:29 -0400 In-reply-to: <87zgrv13hp.fsf@zancanaro.id.au> Message-ID: <87fstnosjv.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 50872-done Cc: 50872-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Carlo Zancanaro writes: > Hi Christine, > > On Tue, Sep 28 2021, Christine Lemmer-Webber wrote: >> Hm, in other words we really ought to run this attached to some hook >> related to the letsencrypt services... when they renew successfully, >> it should trigger this command, I'd think. We do similar things for >> nginx, etc... > > I'm pretty sure Guix doesn't do anything automatic when certificates > are renewed. For nginx there's an example in the manual for how to set > up a deploy hook to reload the certificates[1], so I expect that > you'll have to set up something similar. You're right... not sure why I thought it did. > My prosody setup has this deploy hook: > > (program-file > "reload-certificates" > #~(let ((prosodyctl (string-append #$(specification->package > "prosody") > "/bin/prosodyctl"))) > (system* prosodyctl "--root" "cert" "import" > "/etc/letsencrypt/live") > (system* prosodyctl "reload"))) > > but I have recently had some trouble with it (prosody hasn't been > reloading the certificate properly). I don't think my issue is > related to this deploy hook, though. That seems great. I'll give it a try. Since this isn't significantly different from other services then (well, excepting that prosody needs to not just reload but have the import command run again... but you've provided what looks like a good solution above) I'm going to close this. > I hope that helps! It does, thanks! > Carlo > > [1]: > https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html ------------=_1632959102-11646-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 28 Sep 2021 17:17:09 +0000 Received: from localhost ([127.0.0.1]:46888 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVGj7-0000iB-A5 for submit@debbugs.gnu.org; Tue, 28 Sep 2021 13:17:09 -0400 Received: from lists.gnu.org ([209.51.188.17]:52804) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVGj6-0000i4-Db for submit@debbugs.gnu.org; Tue, 28 Sep 2021 13:17:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47304) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mVGj5-0004fi-VO for bug-guix@gnu.org; Tue, 28 Sep 2021 13:17:08 -0400 Received: from dustycloud.org ([50.116.34.160]:38546) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mVGj4-0006s9-BF for bug-guix@gnu.org; Tue, 28 Sep 2021 13:17:07 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id BB70B26663 for ; Tue, 28 Sep 2021 13:17:04 -0400 (EDT) User-agent: mu4e 1.6.6; emacs 27.2 From: Christine Lemmer-Webber To: bug-guix@gnu.org Subject: Prosody service + letsencrypt certs improvements Date: Tue, 28 Sep 2021 13:01:31 -0400 Message-ID: <87h7e4tyb3.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=50.116.34.160; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) I finally got prosody working on my server using Guix. However, the manual says: Prosodyctl will also help you to import certificates from the =E2=80=98letsencrypt=E2=80=99 directory so that the =E2=80=98prosody=E2= =80=99 user can access them. See . prosodyctl --root cert import /etc/letsencrypt/live However, what prosody actually does with this command is that it copies the files from letsencrypt *over to* its own directory (but then also restarts prosody... in theory). According to the docs: This command can be put in cron or passed as a callback to automated certificate renewal programs such as certbot or other Let's Encrypt clients. For more information on using Prosody with these, see our Let's Encrypt page. Hm, in other words we really ought to run this attached to some hook related to the letsencrypt services... when they renew successfully, it should trigger this command, I'd think. We do similar things for nginx, etc... Thoughts? Does this seem right? - Christine ------------=_1632959102-11646-1--