unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Renewing certificates with certbot
@ 2019-02-22 13:49 Julien Lepiller
  2019-02-22 17:57 ` swedebugia
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Julien Lepiller @ 2019-02-22 13:49 UTC (permalink / raw)
  To: guix-devel

Hi,

I use certificates from let's encrypt for my website and mail servers, 
and found that there was an issue with certificates generated by the 
certbot service in Guix: the generated private keys are world-readable 
(in a directory that cannot be accessed by anyone but root, so it's OK I 
guess). OpenSMTPD is not happy with that though, so I have to chmod the 
files every time. I came up with a variant of the deploy-hook that's 
presented in the manual, and I'd like to update the example with it. 
Here it is:

;; Find running nginx and reload its configuration (for certificates)
(define %my-deploy-hook
   (program-file
    "my-deploy-hook"
    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
             (cert-dir (getenv "RENEWED_LINEAGE"))
             (privkey (string-append cert-dir "/privkey.pem")))
        ;; certbot private keys are world-readable by default, and smtpd 
complains
        ;; about that, refusing to start otherwise
        (chmod privkey #o600)
        (kill pid SIGHUP))))

What do you think?

^ permalink raw reply	[flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
@ 2019-03-22 10:55 Clément Lassieur
  2019-03-23  1:08 ` Chris Marusich
  0 siblings, 1 reply; 11+ messages in thread
From: Clément Lassieur @ 2019-03-22 10:55 UTC (permalink / raw)
  To: cmmarusich; +Cc: guix-devel

Hi Chris,

Unless I misunderstood, this email[1] from Julien suggests that the
issue was that certbot was too old, but it was fixed upstream.

Cheers,
Clément

[1]: https://lists.gnu.org/archive/html/guix-devel/2019-03/msg00070.html

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2019-03-23  1:09 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
2019-02-22 17:57 ` swedebugia
2019-03-06 13:42 ` Ludovic Courtès
2019-03-06 13:51   ` Julien Lepiller
2019-03-06 14:12     ` Giovanni Biscuolo
2019-03-06 14:19     ` ng0
2019-03-06 14:33       ` Julien Lepiller
2019-03-06 16:26         ` ng0
2019-03-22  8:00 ` Chris Marusich
  -- strict thread matches above, loose matches on Subject: below --
2019-03-22 10:55 Clément Lassieur
2019-03-23  1:08 ` Chris Marusich

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).