* Nginx and certbot cervices don't play well togther @ 2021-03-06 8:15 Brice Waegeneire 2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro 0 siblings, 1 reply; 22+ messages in thread From: Brice Waegeneire @ 2021-03-06 8:15 UTC (permalink / raw) To: bug-guix; +Cc: guix-devel Hello Guix, After an suggestion from Tobias to give a try at forcing HTTPS for Guix's websites on berlin, I had a go at it but it was more complex that what I was expecting. Looking deeper at nginx and certbot services it appear both services don't play that well together, requering a inital dance when deploying a new HTTPS virtual server. As explained in #36389¹ you need to: « - run system configuration with just the certbot service - use certbot to generate your initial certificates - reconfigure with additional nginx server configuration, pointing to the SSL certificates created by certbot » Indeed, with an operating-system continaing the following services it's impossible to sart Nginx and Certbot at once as one would expect: --8<---------------cut here---------------start------------->8--- (service nginx-service-type) (service php-fpm-service-type) (service certbot-service-type (certbot-configuration (certificates (list (certificate-configuration (domains '("test.sama.re")) (deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx.pid" read))) (kill pid SIGHUP))))))))) (cat-avatar-generator-service #:configuration (nginx-server-configuration (listen '("443 ssl")) (server-name '("test.sama.re")) (ssl-certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/test.sama.re/privkey.pem"))) --8<---------------cut here---------------end--------------->8--- Here is the error from reconfiguring the system: --8<---------------cut here---------------start------------->8--- # guix system reconfigure /etc/config.sm [...] building /gnu/store/55cq2ja4i5489s55viv9fh50032d1ziy-switch-to-system.scm.drv... making '/gnu/store/p2rkcmrnpls5py7x2iappf2qcbxwlb95-system' the current system... setting up setuid programs in '/run/setuid-programs'... populating /etc from /gnu/store/k2kb8hsq3q0dhhad4a9pjh4kx32mn4g0-etc... /var/lib/certbot/renew-certificates may need to be run creating nginx log directory '/var/log/nginx' creating nginx run directory '/var/run/nginx' creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,uwsgi,scgi}_temp' nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/test.sama.re/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf test failed `/gnu/store/jyxc290q7jyhhpalski0h13h8z9zvnka-openssh-authorized-keys/bricewge' -> `/etc/ssh/authorized_keys.d/bricewge' The following derivation will be built: /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv building /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv... guix system: bootloader successfully installed on '/dev/sda' The following derivation will be built: /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.scm.drv building /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.scm.drv... shepherd: Removing service 'dbus-system'... shepherd: Service dbus-system has been stopped. shepherd: Done. shepherd: Service host-name has been started. shepherd: Service user-homes has been started. shepherd: Service host-name has been started. shepherd: Service term-auto could not be started. shepherd: Service php-fpm has been started. guix system: warning: exception caught while executing 'start' on service 'nginx': Throw to key `%exception' with args `("#<&invoke-error program: \"/gnu/store/hn1mvgafkpf5knrnzvwpgpdlzmq553al-nginx-1.19.6/sbin/nginx\" arguments: (\"-c\" \"/gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf\" \"-p\" \"/var/run/nginx\") exit-status: 1 term-signal: #f stop-signal: #f>")'. guix system: warning: some services could not be upgraded hint: To allow changes to all the system services to take effect, you will need to reboot. --8<---------------cut here---------------end--------------->8--- What happen is Nginx won't start because the certficate related files present in it's configuration doesn't exist and we can't get a Let's Encrypt certificate from a HTTP-01 challenge without that web server running. NixOS broke that chicken and egg problem by generating a self-signed certificate first, after that starting nginx, then requesting a valid Lets' Encrypt certificate and finally reloading Nginx. That way we end up with a Nginx server using Let's Encrypt certificate with no more that a simple system reconfiguration. Note that, the initial self-signed certificate will need to be at the path were certbot will put it's own certificate. WDYT? ¹ https://bugs.gnu.org/36389 Cheers, - Brice ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run 2021-03-06 8:15 Nginx and certbot cervices don't play well togther Brice Waegeneire @ 2024-01-24 12:18 ` Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro ` (4 more replies) 0 siblings, 5 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-24 12:18 UTC (permalink / raw) To: 46961 From time to time people have issues with setting up a new system with certbot generating certificates for an nginx server. The issue is that nginx won't start without being able to load certificates, but certbot can't generate certificates (through the default HTTP challenge) without a running nginx server. Breaking this has generally required two reconfigures: one with nginx configured without loading certificates, and then a second reconfigure after running certbot to add the certificate configuration. This is a bit of a pain, so I've made Guix generate a self-signed certificate to allow nginx to start before certbot has run. Unfortunately, I couldn't put the certificates in the same location as certbot, because certbot is very particular about its directories not existing when it requests a certificate for the first time. Rather than try to convince it to do what I wanted, I opted to add another level of indirection and move certificates to /etc/certs/. This is backwards compatible, because the old /etc/letsenctypt/live/ is maintained by certbot. The only real difference is for the initial bootstrapping of a certificate. Carlo Zancanaro (2): services: certbot: Symlink certificates to /etc/certs services: certbot: Create self-signed certificates before certbot runs doc/guix.texi | 32 +++++++++------ gnu/services/certbot.scm | 86 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 102 insertions(+), 16 deletions(-) base-commit: ffc5fefce370f5fc01091869e13fdf525be1e0c0 -- 2.41.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs 2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro @ 2024-01-24 12:18 ` Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro ` (3 subsequent siblings) 4 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-24 12:18 UTC (permalink / raw) To: 46961 * gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout. --- doc/guix.texi | 26 +++++++++++++------------- gnu/services/certbot.scm | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 45 insertions(+), 15 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a6187690bb..2d43ab9a65 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28117,7 +28117,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28820,8 +28820,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28939,12 +28939,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32659,7 +32659,7 @@ Certificate Services Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for -example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +example, @samp{"/etc/certs/example.com"}) containing the new certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. @@ -32668,8 +32668,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37355,9 +37355,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38482,9 +38482,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..58e709f8a4 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name> +;;; Copyright © 2024 Carlo Zancanaro <carlo@zancanaro.id.au> ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* <certbot-configuration> (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ <certbot-configuration> package webroot certificates email @@ -118,7 +148,7 @@ (define certbot-command `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +160,7 @@ (define certbot-command '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs 2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro @ 2024-01-24 12:18 ` Carlo Zancanaro 2024-01-24 13:01 ` Carlo Zancanaro ` (2 more replies) 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro ` (2 subsequent siblings) 4 siblings, 3 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-24 12:18 UTC (permalink / raw) To: 46961 * gnu/services/certbot.scm (<certificate-configuration>): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. --- doc/guix.texi | 6 +++++ gnu/services/certbot.scm | 56 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 2d43ab9a65..15b256d0a3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32664,6 +32664,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 58e709f8a4..bb321a1b50 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -64,7 +64,9 @@ (define-record-type* <certificate-configuration> (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* <certbot-configuration> certbot-configuration make-certbot-configuration @@ -91,7 +93,10 @@ (define-record-type* <certbot-configuration> (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +113,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -182,6 +188,44 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ <certificate-configuration> name (primary-domain other-domains ...) challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(begin + (use-modules (ice-9 format)) + (when (not (file-exists? #$directory)) + ;; Due to the way certbot runs, we need to + ;; create the self-signed certificates in the + ;; archive folder and symlink them into the live + ;; folder. This mimics what certbot does well + ;; enough to make acquiring new certificates + ;; work. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list))))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -196,6 +240,12 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(map (generate-certificate-gexp certbot-cert-directory + (and rsa-key-size (number->string rsa-key-size))) + (filter certificate-configuration-start-self-signed? + certificates)) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs 2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro @ 2024-01-24 13:01 ` Carlo Zancanaro 2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur 2024-01-29 19:28 ` Clément Lassieur 2 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-24 13:01 UTC (permalink / raw) Cc: 46961 On Wed, Jan 24 2024, Carlo Zancanaro wrote: > + ;; Due to the way certbot runs, we need to > + ;; create the self-signed certificates in the > + ;; archive folder and symlink them into the live > + ;; folder. This mimics what certbot does well > + ;; enough to make acquiring new certificates > + ;; work. Gah, this comment is from a previous iteration. It turns out it didn't work as well as I thought it did. I'm happy to update this comment, but I won't do that until I've heard back about the more substantive aspects of the change. I'm also happy for whoever merges this to change this comment appropriately. ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro 2024-01-24 13:01 ` Carlo Zancanaro @ 2024-01-29 19:23 ` Clément Lassieur 2024-01-29 23:02 ` Carlo Zancanaro 2024-01-29 19:28 ` Clément Lassieur 2 siblings, 1 reply; 22+ messages in thread From: Clément Lassieur @ 2024-01-29 19:23 UTC (permalink / raw) To: Carlo Zancanaro; +Cc: 46961 Hi Carlo, On Wed, Jan 24 2024, Carlo Zancanaro wrote: > * gnu/services/certbot.scm (<certificate-configuration>): Add > start-self-signed? field. > (generate-certificate-gexp): New procedure. > (certbot-activation): Generate self-signed certificates when > start-self-signed? is #t. > * doc/guix.texi (Certificate services): Document start-self-signed?. > --- > doc/guix.texi | 6 +++++ > gnu/services/certbot.scm | 56 +++++++++++++++++++++++++++++++++++++--- > 2 files changed, 59 insertions(+), 3 deletions(-) This is great, thank you! I tested it, it worked. Could you please just make sure lines fit within 80 columns? And there is a warning during compilation, pasted below. Would it make sense now to run ‘update-certificates’ at end of the activation stuff? And would it make sense to reload nginx after ‘update-certificates’ is run? Clément > diff --git a/doc/guix.texi b/doc/guix.texi > index 2d43ab9a65..15b256d0a3 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -32664,6 +32664,12 @@ Certificate Services > contain a space-delimited list of renewed certificate domains (for > example, @samp{"example.com www.example.com"}. > > +@item @code{start-self-signed?} (default: @code{#t}) > +Whether to generate an initial self-signed certificate during system > +activation. This option is particularly useful to allow @code{nginx} to > +start before @code{certbot} has run, because @code{certbot} relies on > +@code{nginx} running to perform HTTP challenges. > + > @end table > @end deftp > > diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm > index 58e709f8a4..bb321a1b50 100644 > --- a/gnu/services/certbot.scm > +++ b/gnu/services/certbot.scm > @@ -64,7 +64,9 @@ (define-record-type* <certificate-configuration> > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > - (default #f))) > + (default #f)) > + (start-self-signed? certificate-configuration-start-self-signed? > + (default #t))) > > (define-record-type* <certbot-configuration> > certbot-configuration make-certbot-configuration > @@ -91,7 +93,10 @@ (define-record-type* <certbot-configuration> > (define (certbot-deploy-hook name deploy-hook-script) > "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem > from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is > -not #f then it is run after the symlinks have been created." > +not #f then it is run after the symlinks have been created. This wrapping is > +necessary for certificates with start-self-signed? set to #t, as it will > +overwrite the initial self-signed certificates upon the first successful > +deploy." > (program-file > (string-append name "-deploy-hook") > (with-imported-modules '((guix build utils)) > @@ -108,7 +113,8 @@ (define (certbot-deploy-hook name deploy-hook-script) > "/etc/letsencrypt/live/" name "/fullchain.pem") > #$(string-append "/etc/certs/" name "/fullchain.pem.new")) > > - ;; Rename over the top of the old ones, if there are any. > + ;; Rename over the top of the old ones, just in case they were the > + ;; original self-signed certificates. > (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") > #$(string-append "/etc/certs/" name "/privkey.pem")) > (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") > @@ -182,6 +188,44 @@ (define (certbot-renewal-jobs config) > #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) > #$(certbot-command config)))) > > +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) > + (match-lambda > + (($ <certificate-configuration> name (primary-domain other-domains ...) challenge > + csr authentication-hook > + cleanup-hook deploy-hook) > + (let (;; Arbitrary default subject, with just the > + ;; right domain filled in. These values don't > + ;; have any real significance. > + (subject (string-append "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" > + primary-domain)) > + (alt-names (if (null? other-domains) > + #f > + (format #f "subjectAltName=~{DNS:~a~^,~}" other-domains))) gnu/services/certbot.scm:203:26: warning: "subjectAltName=~{DNS:~a~^,~}": unsupported format option ~{, use (ice-9 format) instead > + (directory (string-append "/etc/certs/" (or name primary-domain)))) > + #~(begin > + (use-modules (ice-9 format)) > + (when (not (file-exists? #$directory)) > + ;; Due to the way certbot runs, we need to > + ;; create the self-signed certificates in the > + ;; archive folder and symlink them into the live > + ;; folder. This mimics what certbot does well > + ;; enough to make acquiring new certificates > + ;; work. In another mail you say it doesn't work as well as you thought it did? What doesn't work? > + (mkdir-p #$directory) > + (chmod #$directory #o755) > + (invoke #$(file-append openssl "/bin/openssl") > + "req" "-x509" > + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) > + "-keyout" #$(string-append directory "/privkey.pem") > + "-out" #$(string-append directory "/fullchain.pem") > + "-sha256" > + "-days" "1" ; Only one day, because we expect certbot to run > + "-nodes" > + "-subj" #$subject > + #$@(if alt-names > + (list "-addext" alt-names) > + (list))))))))) > + > (define (certbot-activation config) > (let* ((certbot-directory "/var/lib/certbot") > (certbot-cert-directory "/etc/letsencrypt/live") > @@ -196,6 +240,12 @@ (define (certbot-activation config) > (mkdir-p #$webroot) > (mkdir-p #$certbot-directory) > (mkdir-p #$certbot-cert-directory) > + > + #$@(map (generate-certificate-gexp certbot-cert-directory > + (and rsa-key-size (number->string rsa-key-size))) > + (filter certificate-configuration-start-self-signed? > + certificates)) > + > (copy-file #$(certbot-command config) #$script) > (display #$message))))))) ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur @ 2024-01-29 23:02 ` Carlo Zancanaro 2024-01-29 23:19 ` Clément Lassieur 0 siblings, 1 reply; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-29 23:02 UTC (permalink / raw) To: Clément Lassieur; +Cc: 46961 Hi Clément, Thanks for taking the time to review my change. I've responded inline below. On Mon, Jan 29 2024, Clément Lassieur wrote: > This is great, thank you! I tested it, it worked. Could you please > just make sure lines fit within 80 columns? Yep, no worries. > Would it make sense now to run ‘update-certificates’ at end of the > activation stuff? We can't run it during activation, because nginx won't have started yet. However, I am planning a follow-up to add a one-shot service to run certbot after nginx starts. I'll see if I can add it to this series, but if I run into any issues I'll leave it for later. > And would it make sense to reload nginx after ‘update-certificates’ is > run? This would be a sensible default. There is an example in the manual of configuring certbot to reload nginx, so this should be straightforward to add. > gnu/services/certbot.scm:203:26: warning: "subjectAltName=~{DNS:~a~^,~}": unsupported format option ~{, use (ice-9 format) instead Ha! I import (ice-9 format), but within the gexp (and then I don't use it, whoops!). Must be a leftover from a previous iteration. I'll fix this up. >> + ;; Due to the way certbot runs, we need to >> + ;; create the self-signed certificates in the >> + ;; archive folder and symlink them into the live >> + ;; folder. This mimics what certbot does well >> + ;; enough to make acquiring new certificates >> + ;; work. > > In another mail you say it doesn't work as well as you thought it did? > What doesn't work? This comment doesn't describe the code any more. In my first attempt I was trying to generate certificates in /etc/letsencrypt/live/ and get certbot to write over them when it ran. Unfortunately, it refused to do so. I then tried writing to /etc/letsencrypt/archive/ and symlinking into /etc/letsencrypt/live/ (which is what this comment describes), but that also failed. Certbot refuses to write over any existing files when fetching a certificate. It looks like other acme clients might be happier to overwrite existing files, but changing away from certbot seemed like more work than adding a deploy hook to do what we need. I'll follow up with a v2 of this patch when I get a chance. Carlo ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-29 23:02 ` Carlo Zancanaro @ 2024-01-29 23:19 ` Clément Lassieur 0 siblings, 0 replies; 22+ messages in thread From: Clément Lassieur @ 2024-01-29 23:19 UTC (permalink / raw) To: Carlo Zancanaro; +Cc: 46961 On Tue, Jan 30 2024, Carlo Zancanaro wrote: >>> + ;; Due to the way certbot runs, we need to >>> + ;; create the self-signed certificates in the >>> + ;; archive folder and symlink them into the live >>> + ;; folder. This mimics what certbot does well >>> + ;; enough to make acquiring new certificates >>> + ;; work. >> >> In another mail you say it doesn't work as well as you thought it did? >> What doesn't work? > > This comment doesn't describe the code any more. In my first attempt I > was trying to generate certificates in /etc/letsencrypt/live/ and get > certbot to write over them when it ran. Unfortunately, it refused to do > so. I then tried writing to /etc/letsencrypt/archive/ and symlinking > into /etc/letsencrypt/live/ (which is what this comment describes), but > that also failed. Certbot refuses to write over any existing files when > fetching a certificate. Oh I read the comment too quickly, I thought it was describing the /etc/certs moving. I suppose you will update it so to reflect the actual state? What you did (using /etc/certs, and symlinking stuff in /etc/letsencrypt) is a good idea I think, and it's excellent that it's backward compatible! > It looks like other acme clients might be happier to overwrite existing > files, but changing away from certbot seemed like more work than adding > a deploy hook to do what we need. Indeed! > I'll follow up with a v2 of this patch when I get a chance. Thanks! > Carlo ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro 2024-01-24 13:01 ` Carlo Zancanaro 2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur @ 2024-01-29 19:28 ` Clément Lassieur 2 siblings, 0 replies; 22+ messages in thread From: Clément Lassieur @ 2024-01-29 19:28 UTC (permalink / raw) To: Carlo Zancanaro; +Cc: 46961 Also, I forgot, I think it would be great to have somewhere in the doc an example of minimal config.scm that works. I know we can't do proper testing because we depend of certbot service but that would make it easier for a lot of people to test it. Maybe such example is already in the docs and I haven't seen it though. Here is the one I used: --8<---------------cut here---------------start------------->8--- (use-modules (gnu) (gnu tests)) (use-package-modules web) (use-service-modules certbot networking web) (operating-system (inherit %simple-os) (services (cons* (service dhcp-client-service-type) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (listen '("443 ssl")) (server-name '("test.lassieur.org")) (ssl-certificate "/etc/certs/test.lassieur.org/fullchain.pem") (ssl-certificate-key "/etc/certs/test.lassieur.org/privkey.pem")))))) (service certbot-service-type (certbot-configuration (certificates (list (certificate-configuration (domains '("test.lassieur.org"))))))) %base-services))) --8<---------------cut here---------------end--------------->8--- ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx 2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro @ 2024-01-30 13:26 ` Carlo Zancanaro [not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> ` (5 more replies) 2024-01-30 13:26 ` bug#46961: [PATCH v2 " Carlo Zancanaro [not found] ` <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> 4 siblings, 6 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-30 13:26 UTC (permalink / raw) To: 46961; +Cc: guix-devel, brice, clement Hi Guix, This patch series is a few changes to make certbot default to doing "the right thing" in the common case of wanting certificates for an nginx web server. The initial change (in v1 of these patches) was to solve the certbot bootstrapping problem. Nginx won't start without valid certificates, but certbot can't produce certificates without a functional nginx. This is solved by generating self-signed certificates to start with, and then replacing them once certbot has run. Doing this requires storing certificates in a different location (because certbot is very particular). I've chosen /etc/certs/. The other two changes (new to v2 of this series) make things a bit easier to use: a one-shot shepherd service to renew certificates when the machine starts up, and a default deploy-hook to reload the nginx configuration (which picks up the new certificates). I think these changes make certbot "do the right thing", at the expense of being slightly more magical. On IRC podiki suggested I should copy guix-devel and Brice (the original bug reporter), so I've done that, too. Carlo Zancanaro (4): services: certbot: Symlink certificates to /etc/certs. services: certbot: Create self-signed certificates before certbot runs. services: certbot: Add a default deploy hook to reload nginx. services: certbot: Add one-shot service to renew certificates. doc/guix.texi | 38 ++++++--- gnu/services/certbot.scm | 178 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 188 insertions(+), 28 deletions(-) base-commit: 144c95032e517bb8ce466b930fe91506bcc92b2b -- 2.41.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
[parent not found: <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com>]
* Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx [not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> @ 2024-01-30 19:39 ` Clément Lassieur 2024-04-13 1:17 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. 0 siblings, 1 reply; 22+ messages in thread From: Clément Lassieur @ 2024-01-30 19:39 UTC (permalink / raw) To: Felix Lechner via Bug reports for GNU Guix Cc: Carlo Zancanaro, 46961, Felix Lechner, guix-devel, brice On Tue, Jan 30 2024, Felix Lechner via Bug reports for GNU Guix wrote: > Hi Carlo, > > On Tue, Jan 30 2024, Carlo Zancanaro wrote: > >> certbot can't produce certificates without a functional nginx > > Yes, it can. The option is called --standalone. [1] > > Maybe another way to bootstrap the certificates would be to hold off on > starting Nginx or Apache until all certificates are obtained? Yes but if we do this and there is no internet, nginx won't start right? Carlo's solution allows to have a working nginx even when certbot fails. (If I understand well) > Anyway, that's what I do manually. > > Kind regards > Felix > > [1] https://eff-certbot.readthedocs.io/en/latest/using.html#standalone ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx 2024-01-30 19:39 ` Clément Lassieur @ 2024-04-13 1:17 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. 0 siblings, 0 replies; 22+ messages in thread From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2024-04-13 1:17 UTC (permalink / raw) To: Clément Lassieur, Felix Lechner via Bug reports for GNU Guix Cc: Carlo Zancanaro, guix-devel, brice Hi Clément, On Tue, Jan 30 2024, Clément Lassieur wrote: > Carlo's solution allows to have a working nginx even when certbot > fails. I just upgraded a server to the latest Guix version, which I think includes a version of this patch. To my surprise OpenSSL, which I saw in proced, generated a lot of certificates in /etc/certs. I am talking about pages and pages of asterisk, plusses, and dots for a system with twenty or so certificates. Is it possible that they were generated as a result of the patch? It would be unfavorable to create such certificates when they are not needed. It reduces valuable server entropy. Kind regards Felix ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v3 0/4] Make certbot play more nicely with nginx 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro [not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> @ 2024-01-31 11:46 ` Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro ` (3 subsequent siblings) 5 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-31 11:46 UTC (permalink / raw) To: 46961; +Cc: clement Carlo Zancanaro (4): services: certbot: Symlink certificates to /etc/certs. services: certbot: Create self-signed certificates before certbot runs. services: certbot: Reload nginx in deploy hook. services: certbot: Add one-shot service to renew certificates. doc/guix.texi | 40 ++++----- gnu/services/certbot.scm | 185 +++++++++++++++++++++++++++++++++++---- 2 files changed, 189 insertions(+), 36 deletions(-) base-commit: 7a45f7b9e1b34912ee087daf4014aa4f67b11bf0 -- 2.41.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs. 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro [not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> 2024-01-31 11:46 ` bug#46961: [PATCH v3 " Carlo Zancanaro @ 2024-01-31 11:46 ` Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro ` (2 subsequent siblings) 5 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-31 11:46 UTC (permalink / raw) To: 46961; +Cc: clement * gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout, except in the certbot deploy-hook description. Change-Id: I2ba5e4903d1e293e566b732a84b07d5a134b697d --- doc/guix.texi | 24 ++++++++++++------------ gnu/services/certbot.scm | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index bb0af26d93..97be37f9b5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28135,7 +28135,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28846,8 +28846,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28965,12 +28965,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32694,8 +32694,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37381,9 +37381,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38508,9 +38508,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..3926d0551a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name> +;;; Copyright © 2024 Carlo Zancanaro <carlo@zancanaro.id.au> ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* <certbot-configuration> (body (list "return 301 https://$host$request_uri;")))))) +(define (certbot-deploy-hook name deploy-hook-script) + "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem +from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is +not #f then it is run after the symlinks have been created." + (program-file + (string-append name "-deploy-hook") + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p #$(string-append "/etc/certs/" name)) + (chmod #$(string-append "/etc/certs/" name) #o755) + + ;; Create new symlinks + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/privkey.pem") + #$(string-append "/etc/certs/" name "/privkey.pem.new")) + (symlink #$(string-append + "/etc/letsencrypt/live/" name "/fullchain.pem") + #$(string-append "/etc/certs/" name "/fullchain.pem.new")) + + ;; Rename over the top of the old ones, if there are any. + (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") + #$(string-append "/etc/certs/" name "/privkey.pem")) + (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") + #$(string-append "/etc/certs/" name "/fullchain.pem")) + #$@(if deploy-hook-script + (list #~(invoke #$deploy-hook-script)) + '()))))) + (define certbot-command (match-lambda (($ <certbot-configuration> package webroot certificates email @@ -118,7 +148,8 @@ (define certbot-command `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -130,7 +161,8 @@ (define certbot-command '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (list "--deploy-hook" + (certbot-deploy-hook name deploy-hook))))))) certificates))) (program-file "certbot-command" -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs. 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro ` (2 preceding siblings ...) 2024-01-31 11:46 ` bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro @ 2024-01-31 11:46 ` Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro 5 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-31 11:46 UTC (permalink / raw) To: 46961; +Cc: clement * gnu/services/certbot.scm (<certificate-configuration>): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d --- doc/guix.texi | 6 ++++ gnu/services/certbot.scm | 62 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 97be37f9b5..732abceb0f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32690,6 +32690,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 3926d0551a..10b99f5630 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -35,6 +35,7 @@ (define-module (gnu services certbot) #:use-module (guix records) #:use-module (guix gexp) #:use-module (srfi srfi-1) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration @@ -64,7 +65,9 @@ (define-record-type* <certificate-configuration> (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* <certbot-configuration> certbot-configuration make-certbot-configuration @@ -91,7 +94,10 @@ (define-record-type* <certbot-configuration> (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ <certificate-configuration> name (primary-domain other-domains ...) + challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append + "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" + other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(when (not (file-exists? #$directory)) + ;; We generate self-signed certificates in /etc/certs/{domain}, + ;; because certbot is very sensitive to its directory + ;; structure. It refuses to write over the top of existing files, + ;; so we need to use a directory outside of its control. + ;; + ;; These certificates are overwritten by the certbot deploy hook + ;; the first time it successfully obtains a letsencrypt-signed + ;; certificate. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list)))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -198,6 +246,14 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(let ((rsa-key-size (and rsa-key-size + (number->string rsa-key-size)))) + (map (generate-certificate-gexp certbot-cert-directory + rsa-key-size) + (filter certificate-configuration-start-self-signed? + certificates))) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook. 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro ` (3 preceding siblings ...) 2024-01-31 11:46 ` bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro @ 2024-01-31 11:46 ` Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro 5 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-31 11:46 UTC (permalink / raw) To: 46961; +Cc: clement * gnu/services/certbot.scm (certbot-deploy-hook): Reload nginx. * doc/guix.texi (Certificate services): Remove deploy-hook from example. Change-Id: Ibb10481170a6fda7df72492072b939dd6a6ad176 --- I've pulled the nginx reloading into the regular deployment hook here. I also removed the explicit deploy hook in the documentation, because that is now the default behaviour. doc/guix.texi | 10 +--------- gnu/services/certbot.scm | 10 ++++++++-- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 732abceb0f..c71d7e94cf 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32562,21 +32562,13 @@ Certificate Services must be a @code{certbot-configuration} record as in this example: @lisp -(define %certbot-deploy-hook - (program-file "certbot-deploy-hook.scm" - (with-imported-modules '((gnu services herd)) - #~(begin - (use-modules (gnu services herd)) - (with-shepherd-action 'nginx ('reload) result result))))) - (service certbot-service-type (certbot-configuration (email "foo@@example.net") (certificates (list (certificate-configuration - (domains '("example.net" "www.example.net")) - (deploy-hook %certbot-deploy-hook)) + (domains '("example.net" "www.example.net"))) (certificate-configuration (domains '("bar.example.net"))))))) @end lisp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 10b99f5630..cb1be0c0e9 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -100,9 +100,11 @@ (define (certbot-deploy-hook name deploy-hook-script) deploy." (program-file (string-append name "-deploy-hook") - (with-imported-modules '((guix build utils)) + (with-imported-modules '((gnu services herd) + (guix build utils)) #~(begin - (use-modules (guix build utils)) + (use-modules (gnu services herd) + (guix build utils)) (mkdir-p #$(string-append "/etc/certs/" name)) (chmod #$(string-append "/etc/certs/" name) #o755) @@ -120,6 +122,10 @@ (define (certbot-deploy-hook name deploy-hook-script) #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") #$(string-append "/etc/certs/" name "/fullchain.pem")) + + ;; With the new certificates in place, tell nginx to reload them. + (with-shepherd-action 'nginx ('reload) result result) + #$@(if deploy-hook-script (list #~(invoke #$deploy-hook-script)) '()))))) -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates. 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro ` (4 preceding siblings ...) 2024-01-31 11:46 ` bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook Carlo Zancanaro @ 2024-01-31 11:46 ` Carlo Zancanaro 5 siblings, 0 replies; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-31 11:46 UTC (permalink / raw) To: 46961; +Cc: clement * gnu/services/certbot.scm (certbot-renewal-one-shot): New procedure. (certbot-service-type)[extensions]: Add it to shepherd-root extension. (certbot-command): Make connection errors return a different exit code. (certbot-activation): Remove message with certificate renewal instructions. Change-Id: I614ac6214a753dba0396e2385a75926c8355caa1 --- I've added some more logging here, and removed the comments that implied that we expected the length of time for the retries to be bounded. gnu/services/certbot.scm | 89 +++++++++++++++++++++++++++++++++------- 1 file changed, 75 insertions(+), 14 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index cb1be0c0e9..f287c8367f 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -180,15 +180,45 @@ (define certbot-command (program-file "certbot-command" #~(begin - (use-modules (ice-9 match)) - (let ((code 0)) + (use-modules (ice-9 match) + (ice-9 textual-ports)) + + (define (log format-string . args) + (apply format #t format-string args) + (force-output)) + + (define (file-contains? file string) + (string-contains (call-with-input-file file + get-string-all) + string)) + + (define (connection-error?) + ;; Certbot errors are always exit code 1, so we need to look at + ;; the log file to see if there was a connection error. + (file-contains? "/var/log/letsencrypt/letsencrypt.log" + "Failed to establish a new connection")) + + (let ((script-code 0)) (for-each (match-lambda ((name . command) - (begin - (format #t "Acquiring or renewing certificate: ~a~%" name) - (set! code (or (apply system* command) code))))) - '#$commands) code))))))) + (log "Acquiring or renewing certificate: ~a~%" name) + (cond + ((zero? (status:exit-val (apply system* command))) + (log "Certificate successfully acquired: ~a~%" name)) + ((connection-error?) + ;; If we have a connection error, then bail early with + ;; exit code 2. We don't expect this to resolve within the + ;; timespan of this script. + (log "Connection error - bailing out~%") + (exit 2)) + (else + ;; If we have any other type of error, then continue but + ;; exit with a failing status code in the end. + (log "Error: ~a - continuing with other domains~%" name) + (set! script-code 1))))) + '#$commands) + (exit script-code)))))))) (define (certbot-renewal-jobs config) (list @@ -197,6 +227,40 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (certbot-renewal-one-shot config) + (list + ;; Renew certificates when the system first starts. This is a one-shot + ;; service, because the mcron configuration will take care of running this + ;; periodically. This is most useful the very first time the system starts, + ;; to overwrite our self-signed certificates as soon as possible without + ;; user intervention. + (shepherd-service + (provision '(renew-certbot-certificates)) + (requirement '(nginx)) + (one-shot? #t) + (start #~(lambda _ + ;; This needs the network, but there's no reliable way to know + ;; if the network is up other than trying. If we fail due to a + ;; connection error we retry a number of times in the hope that + ;; the network comes up soon. + (let loop ((attempt 0)) + (let ((code (status:exit-val + (system* #$(certbot-command config))))) + (cond + ((and (= code 2) ; Exit code 2 means connection error + (< attempt 12)) ; Arbitrarily chosen max attempts + (sleep 10) ; Arbitrarily chosen retry delay + (loop (1+ attempt))) + ((zero? code) + ;; Success! + #t) + (else + ;; Failure. + #f)))))) + (auto-start? #t) + (documentation "Call certbot to renew certificates.") + (actions (list (shepherd-configuration-action (certbot-command config))))))) + (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (match-lambda (($ <certificate-configuration> name (primary-domain other-domains ...) @@ -240,9 +304,7 @@ (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") - (certbot-cert-directory "/etc/letsencrypt/live") - (script (in-vicinity certbot-directory "renew-certificates")) - (message (format #f (G_ "~a may need to be run~%") script))) + (certbot-cert-directory "/etc/letsencrypt/live")) (match config (($ <certbot-configuration> package webroot certificates email server rsa-key-size default-location) @@ -258,10 +320,7 @@ (define (certbot-activation config) (map (generate-certificate-gexp certbot-cert-directory rsa-key-size) (filter certificate-configuration-start-self-signed? - certificates))) - - (copy-file #$(certbot-command config) #$script) - (display #$message))))))) + certificates))))))))) (define certbot-nginx-server-configurations (match-lambda @@ -294,7 +353,9 @@ (define certbot-service-type (service-extension activation-service-type certbot-activation) (service-extension mcron-service-type - certbot-renewal-jobs))) + certbot-renewal-jobs) + (service-extension shepherd-root-service-type + certbot-renewal-one-shot))) (compose concatenate) (extend (lambda (config additional-certificates) (certbot-configuration -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: [PATCH v2 4/4] services: certbot: Add one-shot service to renew certificates. 2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro ` (2 preceding siblings ...) 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro @ 2024-01-30 13:26 ` Carlo Zancanaro 2024-01-31 0:55 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur [not found] ` <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> 4 siblings, 1 reply; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-30 13:26 UTC (permalink / raw) To: 46961; +Cc: guix-devel, brice, clement * gnu/services/certbot.scm (certbot-renewal-one-shot): New procedure. (certbot-service-type)[extensions]: Add it to shepherd-root extension. (certbot-command): Make connection errors return a different exit code. (certbot-activation): Remove message with certificate renewal instructions. Change-Id: I614ac6214a753dba0396e2385a75926c8355caa1 --- gnu/services/certbot.scm | 77 +++++++++++++++++++++++++++++++++------- 1 file changed, 65 insertions(+), 12 deletions(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 490b9e8d6d..d6354c86d3 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -183,15 +183,37 @@ (define certbot-command (program-file "certbot-command" #~(begin - (use-modules (ice-9 match)) - (let ((code 0)) + (use-modules (ice-9 match) + (ice-9 textual-ports)) + + (define (file-contains? file string) + (string-contains (call-with-input-file file + get-string-all) + string)) + + (define (connection-error?) + (file-contains? "/var/log/letsencrypt/letsencrypt.log" + "Failed to establish a new connection")) + + (let ((script-code 0)) (for-each (match-lambda ((name . command) (begin (format #t "Acquiring or renewing certificate: ~a~%" name) - (set! code (or (apply system* command) code))))) - '#$commands) code))))))) + (unless (zero? (status:exit-val (apply system* command))) + ;; Certbot errors are always exit code 1, but we'd like + ;; to separate connection errors from other error types. + (if (connection-error?) + ;; If we have a connection error, then bail early + ;; with exit code 2. We don't expect this to + ;; resolve within the timespan of this script. + (exit 2) + ;; If we have any other type of error, then continue + ;; but exit with a failing status code in the end. + (set! script-code 1)))))) + '#$commands) + (exit script-code)))))))) (define (certbot-renewal-jobs config) (list @@ -200,6 +222,40 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (certbot-renewal-one-shot config) + (list + ;; Renew certificates when the system first starts. This is a one-shot + ;; service, because the mcron configuration will take care of running this + ;; periodically. This is most useful the very first time the system starts, + ;; to overwrite our self-signed certificates as soon as possible without + ;; user intervention. + (shepherd-service + (provision '(renew-certbot-certificates)) + (requirement '(nginx)) + (one-shot? #t) + (start #~(lambda _ + ;; This needs the network, but there's no reliable way to know + ;; if the network is up other than trying. If we fail due to a + ;; connection error we retry a number of times in the hope that + ;; the network comes up soon. + (let loop ((attempt 0)) + (let ((code (status:exit-val + (system* #$(certbot-command config))))) + (cond + ((and (= code 2) ; Exit code 2 means connection error + (< attempt 12)) ; 12 * 10 seconds = 2 minutes + (sleep 10) + (loop (1+ attempt))) + ((zero? code) + ;; Success! + #t) + (else + ;; Failure. + #f)))))) + (auto-start? #t) + (documentation "Call certbot to renew certificates.") + (actions (list (shepherd-configuration-action (certbot-command config))))))) + (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (match-lambda (($ <certificate-configuration> name (primary-domain other-domains ...) @@ -243,9 +299,7 @@ (define (generate-certificate-gexp certbot-cert-directory rsa-key-size) (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") - (certbot-cert-directory "/etc/letsencrypt/live") - (script (in-vicinity certbot-directory "renew-certificates")) - (message (format #f (G_ "~a may need to be run~%") script))) + (certbot-cert-directory "/etc/letsencrypt/live")) (match config (($ <certbot-configuration> package webroot certificates email server rsa-key-size default-location) @@ -261,10 +315,7 @@ (define (certbot-activation config) (map (generate-certificate-gexp certbot-cert-directory rsa-key-size) (filter certificate-configuration-start-self-signed? - certificates))) - - (copy-file #$(certbot-command config) #$script) - (display #$message))))))) + certificates))))))))) (define certbot-nginx-server-configurations (match-lambda @@ -297,7 +348,9 @@ (define certbot-service-type (service-extension activation-service-type certbot-activation) (service-extension mcron-service-type - certbot-renewal-jobs))) + certbot-renewal-jobs) + (service-extension shepherd-root-service-type + certbot-renewal-one-shot))) (compose concatenate) (extend (lambda (config additional-certificates) (certbot-configuration -- 2.41.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-30 13:26 ` bug#46961: [PATCH v2 " Carlo Zancanaro @ 2024-01-31 0:55 ` Clément Lassieur 2024-01-31 11:50 ` Carlo Zancanaro 0 siblings, 1 reply; 22+ messages in thread From: Clément Lassieur @ 2024-01-31 0:55 UTC (permalink / raw) To: Carlo Zancanaro; +Cc: brice, 46961 Removing guix-devel. On Tue, Jan 30 2024, Carlo Zancanaro wrote: > + (define (file-contains? file string) > + (string-contains (call-with-input-file file > + get-string-all) > + string)) > + > + (define (connection-error?) > + (file-contains? "/var/log/letsencrypt/letsencrypt.log" > + "Failed to establish a new connection")) > + > + (let ((script-code 0)) > (for-each > (match-lambda > ((name . command) > (begin > (format #t "Acquiring or renewing certificate: ~a~%" name) Here we could add ‘(force-output)’, because otherwise those logs arrive after the certbot logs, and it's hard to understand anything. > - (set! code (or (apply system* command) code))))) > - '#$commands) code))))))) > + (unless (zero? (status:exit-val (apply system* command))) > + ;; Certbot errors are always exit code 1, but we'd like > + ;; to separate connection errors from other error types. > + (if (connection-error?) > + ;; If we have a connection error, then bail early > + ;; with exit code 2. We don't expect this to > + ;; resolve within the timespan of this script. Could we have a (log + force-output) here too? (I imagine within a ‘begin’) > + (exit 2) > + ;; If we have any other type of error, then continue > + ;; but exit with a failing status code in the end. and here? > + (set! script-code 1)))))) And maybe a log also in case the command succeeds. (So that would mean to replace ‘unless’ with ‘if’). > + '#$commands) > + (exit script-code)))))))) > > + (let loop ((attempt 0)) > + (let ((code (status:exit-val > + (system* #$(certbot-command config))))) > + (cond > + ((and (= code 2) ; Exit code 2 means connection error > + (< attempt 12)) ; 12 * 10 seconds = 2 minutes ^------ This comment is not true because certbot takes time to execute (around 15s on my vm). I don't think there is a need to be that precise. Maybe you can just add in in the let form, as in (let ((code ...) (max-attempts 12)). > + (sleep 10) > + (loop (1+ attempt))) > + ((zero? code) > + ;; Success! > + #t) > + (else > + ;; Failure. > + #f)))))) Also could you update the example in the docs? From the doc: >> @defvar certbot-service-type >> A service type for the @code{certbot} Let's Encrypt client. Its value >> must be a @code{certbot-configuration} record as in this example: >> >> @lisp >> (define %certbot-deploy-hook >> (program-file "certbot-deploy-hook.scm" >> (with-imported-modules '((gnu services herd)) >> #~(begin >> (use-modules (gnu services herd)) >> (with-shepherd-action 'nginx ('reload) result result))))) ^ This part isn't useful anymore. However, we could add a nginx-service-type and a dhcp-client-service-type so that people have an idea of what the minimal config is, maybe like I did in my first review: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23. >> (service certbot-service-type >> (certbot-configuration >> (email "foo@@example.net") >> (certificates >> (list >> (certificate-configuration >> (domains '("example.net" "www.example.net")) >> (deploy-hook %certbot-deploy-hook)) >> (certificate-configuration >> (domains '("bar.example.net"))))))) >> @end lisp We are almost there, thanks! Clément ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-31 0:55 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur @ 2024-01-31 11:50 ` Carlo Zancanaro 2024-01-31 15:58 ` Clément Lassieur 0 siblings, 1 reply; 22+ messages in thread From: Carlo Zancanaro @ 2024-01-31 11:50 UTC (permalink / raw) To: Clément Lassieur; +Cc: 46961 On Wed, Jan 31 2024, Clément Lassieur wrote: > Removing guix-devel. I've also removed Brice. > On Tue, Jan 30 2024, Carlo Zancanaro wrote: >> (format #t "Acquiring or renewing >> certificate: ~a~%" name) > > Here we could add ‘(force-output)’, because otherwise those logs > arrive > after the certbot logs, and it's hard to understand anything. Done. >> + ;; If we have a connection error, >> then bail early >> + ;; with exit code 2. We don't expect >> this to >> + ;; resolve within the timespan of >> this script. > > Could we have a (log + force-output) here too? (I imagine > within a > ‘begin’) Done. >> + ;; If we have any other type of >> error, then continue >> + ;; but exit with a failing status >> code in the end. > > and here? Done. > And maybe a log also in case the command succeeds. (So that > would mean > to replace ‘unless’ with ‘if’). Done. >> + (< attempt 12)) ; 12 * 10 seconds = >> 2 minutes > ^------ > This comment is not true because certbot takes time to execute > (around 15s on my vm). I don't think there is a need to be that > precise. I haven't extracted/named the max-attempts value, but I have removed the comments that imply that the time frame is bounded. > Also could you update the example in the docs? I have removed the %certbot-deploy-hook in the example in the manual. > ... However, we could add a nginx-service-type and a > dhcp-client-service-type so that people have an idea of what the > minimal config is, maybe like I did in my first review: > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23. I have not added this. I understand the desire, but I'm wary of providing an example that's "too involved". The current example demonstrates a minimal config of certbot itself. I think you are looking to include an example of a minimal system that hosts a website using certbot provided certificates. I don't know where an example like that belongs, but I'm not yet convinced it belongs in the certbot service documentation. Carlo ^ permalink raw reply [flat|nested] 22+ messages in thread
* bug#46961: Nginx and certbot cervices don't play well togther 2024-01-31 11:50 ` Carlo Zancanaro @ 2024-01-31 15:58 ` Clément Lassieur 0 siblings, 0 replies; 22+ messages in thread From: Clément Lassieur @ 2024-01-31 15:58 UTC (permalink / raw) To: Carlo Zancanaro; +Cc: 46961-done On Wed, Jan 31 2024, Carlo Zancanaro wrote: >>> + (< attempt 12)) ; 12 * 10 seconds = 2 minutes >> ^------ >> This comment is not true because certbot takes time to execute (around 15s >> on my vm). I don't think there is a need to be that precise. > > I haven't extracted/named the max-attempts value, but I have removed the > comments that imply that the time frame is bounded. Ok >> Also could you update the example in the docs? > > I have removed the %certbot-deploy-hook in the example in the manual. > >> ... However, we could add a nginx-service-type and a >> dhcp-client-service-type so that people have an idea of what the minimal >> config is, maybe like I did in my first review: >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46961#23. > > I have not added this. I understand the desire, but I'm wary of providing an > example that's "too involved". The current example demonstrates a minimal > config of certbot itself. I think you are looking to include an example of a > minimal system that hosts a website using certbot provided certificates. I > don't know where an example like that belongs, but I'm not yet convinced it > belongs in the certbot service documentation. Sounds good Pushed, thank you! Clément ^ permalink raw reply [flat|nested] 22+ messages in thread
[parent not found: <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au>]
* bug#46961: Nginx and certbot cervices don't play well togther [not found] ` <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> @ 2024-01-31 0:29 ` Clément Lassieur 0 siblings, 0 replies; 22+ messages in thread From: Clément Lassieur @ 2024-01-31 0:29 UTC (permalink / raw) To: Carlo Zancanaro; +Cc: brice, 46961 I removed guix-devel, not sure we need to spam it. On Tue, Jan 30 2024, Carlo Zancanaro wrote: > +(define %default-deploy-hook > + (program-file > + "reload-nginx.scm" > + (with-imported-modules '((gnu services herd)) > + #~(begin > + (use-modules (gnu services herd)) > + (with-shepherd-action 'nginx ('reload) result result))))) > + > (define-record-type* <certificate-configuration> > certificate-configuration make-certificate-configuration > certificate-configuration? > @@ -65,7 +74,7 @@ (define-record-type* <certificate-configuration> > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > - (default #f)) > + (default %default-deploy-hook)) > (start-self-signed? certificate-configuration-start-self-signed? > (default #t))) I'd reload within ‘certbot-deploy-hook’, between ‘rename-file’ and “(if deploy-hook-script” so that people don't get surprised, when they use a deploy-hook for unrelated reasons, that the nginx doesn't reload anymore. Plus, reloading nginx is harmless. ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2024-04-13 1:18 UTC | newest] Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-06 8:15 Nginx and certbot cervices don't play well togther Brice Waegeneire 2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro 2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro 2024-01-24 13:01 ` Carlo Zancanaro 2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur 2024-01-29 23:02 ` Carlo Zancanaro 2024-01-29 23:19 ` Clément Lassieur 2024-01-29 19:28 ` Clément Lassieur 2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro [not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> 2024-01-30 19:39 ` Clément Lassieur 2024-04-13 1:17 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. 2024-01-31 11:46 ` bug#46961: [PATCH v3 " Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook Carlo Zancanaro 2024-01-31 11:46 ` bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro 2024-01-30 13:26 ` bug#46961: [PATCH v2 " Carlo Zancanaro 2024-01-31 0:55 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur 2024-01-31 11:50 ` Carlo Zancanaro 2024-01-31 15:58 ` Clément Lassieur [not found] ` <0816d35e69610090994eb7da45715b4ee366d791.1706621200.git.carlo@zancanaro.id.au> 2024-01-31 0:29 ` Clément Lassieur
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).