From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id 0DNAAu+auWV32gAAe85BDQ:P1 (envelope-from ) for ; Wed, 31 Jan 2024 01:57:19 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 0DNAAu+auWV32gAAe85BDQ (envelope-from ) for ; Wed, 31 Jan 2024 01:57:19 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lassieur.org header.s=fm2 header.b=kDBmNYsB; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b="O JGb3PA"; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706662638; a=rsa-sha256; cv=none; b=akta5SWyYRoSATfaNh0J7ESmEZVWLVoGdhTgfiAdT1ToDGXtUIWq0usjsOozIBI7pJ/Rsc lZYu/10GCUQHK2Vu67NZrDSKs1AXZwmxZrXonvh/1wolq0VT03hmfzckbSBm0EN0DMRs/R wC6OZ4YUivSmYAFDImqH+l+wjWdUYD/GXz0TZyaVnmlJuR6i/t9oyZ68rAXV+EVkDV6xHM DcANAYhCpk5Dp+4XGtyMQ/Pwm3B4ceBpCeGzLWtwKu3lu+mY+y7K7mKkqduzKwqtVzL5xO Afy9ix7omqZjF25l5sqy8RmwWmgqgATvP/4aFpPEj3chPhjocNbK9OHSB1huSA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lassieur.org header.s=fm2 header.b=kDBmNYsB; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b="O JGb3PA"; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706662638; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=k/p32RnTBR9NmPebvwecGOiRXw2rWI5zPu9HJZx7YLA=; b=hT1oswLTsuievnnvwTEIWZpfuC/cH3HDNQPBb2nDAz8QvQQyxNhc9EbS0Iem12wmywxOcu W220pKqesOE/a00gPUK9y0pK2ORRjKGbqznsN6xPvyhXShQp7TH6RLmcjm7mdZ81w20yvT PwYSlG3Wg//t2Knoyk7EBL1DJ9tiqSqeLmvjLqZv4rAMdceH62UZ4xUZeL8KDoqu3Vevbr K5d6xs7/Hw76uXnav5FKlYc5l57iyLD8f/uXP+YhTM8uoOSAOFOMs7FQ818pFHc3/zPOM0 To5/lQv9y0SdZWPM2VKPuxq4jFULSo9vt70Sd2nBzYfHWHxwlMtuiKu/dY/Q2A== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9CC6476ECA for ; Wed, 31 Jan 2024 01:57:18 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rUyuW-0001Dw-KH; Tue, 30 Jan 2024 19:57:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUyuM-0001C8-NH for bug-guix@gnu.org; Tue, 30 Jan 2024 19:56:55 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rUyuL-0002Af-AF for bug-guix@gnu.org; Tue, 30 Jan 2024 19:56:53 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rUyuU-0003Ex-5p for bug-guix@gnu.org; Tue, 30 Jan 2024 19:57:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46961: Nginx and certbot cervices don't play well togther Resent-From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 00:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Carlo Zancanaro Cc: brice@waegenei.re, 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170666258112402 (code B ref 46961); Wed, 31 Jan 2024 00:57:02 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 00:56:21 +0000 Received: from localhost ([127.0.0.1]:37189 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUytp-0003Dy-5W for submit@debbugs.gnu.org; Tue, 30 Jan 2024 19:56:21 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59007) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUytk-0003Db-62 for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 19:56:19 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id E477C5C00F8; Tue, 30 Jan 2024 19:56:00 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 30 Jan 2024 19:56:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lassieur.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1706662560; x=1706748960; bh=k/p32RnTBR9NmPebvwecGOiRXw2rWI5zPu9HJZx7YLA=; b= kDBmNYsBMGtCmB1J/QWB0wvvsRLwYwGh3Ze6Tcb1cpyGN8GjWQopBqS5zfeDEV1P UrxpoXxjELcFDeZp2zgqBpzP/GH+K1JtsBFwlOKylbkzzvSpBfso8ujJsRLmXP36 /N80Y3jQTcDNLovB/wfn+Psk+wlaO1SLxkwn64tft0KXgzLiu00qSDjXHJFYtkgy /JGaZ4HY0SDQyWkVyZZ4usHoN9kCt1uabwyhbqtMOwiStoSqWku4cA5glK62Y8W2 sdRMmepUTOJI4WlxbtKvc/kXN1jgiN03Y/v3to2t0RYumVJPlMN4Gj6j5czqWlUl I1A0m2ozOdD8yQi3uFy2dQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1706662560; x= 1706748960; bh=k/p32RnTBR9NmPebvwecGOiRXw2rWI5zPu9HJZx7YLA=; b=O JGb3PAPnovCxuvY5AoGmZAezxRN3arMb7DXea3YcnAJajgvA98pLI1ZkVboJvTxw E0QHI0tMmjRpPcvJlUFGLT6T6DZTs8fO7pQSTsDnzJ0z3npbOwlz8el/TJ7nIGrH fySQqWEIiKf7cIhiGpXFpiQZSdzijVvnV8wqYsfGkLgrVt6kpjwANhoT9tZqizdq 8jBHXJdRmxf/NvwKAMi7nXiO5pSmy8iM8dIgELi5V+FPPvGBsjmM+Z7jI9pkmsYp c6+IHdlvBagq4GjBeT0mpfPBT4Pz9sMKg3tx+5e5whC+igYQDe/8UILrsoS0WUgW +pBX702qqGlG+tn9jTExA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfedtkedgvdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkfgggtgfgsehtqhertddtreejnecuhfhrohhmpeevlhor mhgvnhhtucfnrghsshhivghurhcuoegtlhgvmhgvnhhtsehlrghsshhivghurhdrohhrgh eqnecuggftrfgrthhtvghrnhepleekvefgteehlefgffeiteefgeeftdevgfdvtdfftefg keeghfffvdegieelheehnecuffhomhgrihhnpehgnhhurdhorhhgpdgvgigrmhhplhgvrd hnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep tghlvghmvghntheslhgrshhsihgvuhhrrdhorhhg X-ME-Proxy: Feedback-ID: i4c21472a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 Jan 2024 19:55:59 -0500 (EST) From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-Reply-To: (Carlo Zancanaro's message of "Tue, 30 Jan 2024 13:26:40 +0000") References: Date: Wed, 31 Jan 2024 01:55:56 +0100 Message-ID: <87zfwms4mb.fsf_-_@lassieur.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx10.migadu.com X-Spam-Score: -5.77 X-Migadu-Queue-Id: 9CC6476ECA X-Migadu-Spam-Score: -5.77 X-TUID: 2U+UzwMgXdp/ Removing guix-devel. On Tue, Jan 30 2024, Carlo Zancanaro wrote: > + (define (file-contains? file string) > + (string-contains (call-with-input-file file > + get-string-all) > + string)) > + > + (define (connection-error?) > + (file-contains? "/var/log/letsencrypt/letsencrypt.log" > + "Failed to establish a new connection")) > + > + (let ((script-code 0)) > (for-each > (match-lambda > ((name . command) > (begin > (format #t "Acquiring or renewing certificate: ~a~%"= name) Here we could add =E2=80=98(force-output)=E2=80=99, because otherwise those= logs arrive after the certbot logs, and it's hard to understand anything. > - (set! code (or (apply system* command) code))))) > - '#$commands) code))))))) > + (unless (zero? (status:exit-val (apply system* comma= nd))) > + ;; Certbot errors are always exit code 1, but we'd= like > + ;; to separate connection errors from other error = types. > + (if (connection-error?) > + ;; If we have a connection error, then bail ea= rly > + ;; with exit code 2. We don't expect this to > + ;; resolve within the timespan of this script. Could we have a (log + force-output) here too? (I imagine within a =E2=80=98begin=E2=80=99) > + (exit 2) > + ;; If we have any other type of error, then co= ntinue > + ;; but exit with a failing status code in the = end. and here? > + (set! script-code 1)))))) And maybe a log also in case the command succeeds. (So that would mean to replace =E2=80=98unless=E2=80=99 with =E2=80=98if=E2=80=99). > + '#$commands) > + (exit script-code)))))))) >=20=20 > + (let loop ((attempt 0)) > + (let ((code (status:exit-val > + (system* #$(certbot-command config))))) > + (cond > + ((and (=3D code 2) ; Exit code 2 means connecti= on error > + (< attempt 12)) ; 12 * 10 seconds =3D 2 minutes ^------ This comment is not true because certbot takes time to execute (around 15s on my vm). I don't think there is a need to be that precise. Maybe you can just add in in the let form, as in (let ((code ...) (max-attempts 12)). > + (sleep 10) > + (loop (1+ attempt))) > + ((zero? code) > + ;; Success! > + #t) > + (else > + ;; Failure. > + #f)))))) Also could you update the example in the docs? >From the doc: >> @defvar certbot-service-type >> A service type for the @code{certbot} Let's Encrypt client. Its value >> must be a @code{certbot-configuration} record as in this example: >>=20 >> @lisp >> (define %certbot-deploy-hook >> (program-file "certbot-deploy-hook.scm" >> (with-imported-modules '((gnu services herd)) >> #~(begin >> (use-modules (gnu services herd)) >> (with-shepherd-action 'nginx ('reload) result result))))) ^ This part isn't useful anymore. However, we could add a nginx-service-type and a dhcp-client-service-type so that people have an idea of what the minimal config is, maybe like I did in my first review: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D46961#23. >> (service certbot-service-type >> (certbot-configuration >> (email "foo@@example.net") >> (certificates >> (list >> (certificate-configuration >> (domains '("example.net" "www.example.net")) >> (deploy-hook %certbot-deploy-hook)) >> (certificate-configuration >> (domains '("bar.example.net"))))))) >> @end lisp We are almost there, thanks! Cl=C3=A9ment