From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id kE0rODb7uGVtAgAAqHPOHw:P1 (envelope-from ) for ; Tue, 30 Jan 2024 14:35:51 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id kE0rODb7uGVtAgAAqHPOHw (envelope-from ) for ; Tue, 30 Jan 2024 14:35:51 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zancanaro.id.au header.s=k1 header.b=iD+wFiTy; dmarc=fail reason="SPF not aligned (relaxed)" header.from=zancanaro.id.au (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706621750; a=rsa-sha256; cv=none; b=p4+KhINI3GCCqy6hox7f0LzCMt1Gx+R4xrqDgTam3q3XxKNU2S/jLRq0nzND4zHobAu1cC 4R3k8u5DLR4yTRTO026FdNhTzPy/4zahrQI6xIjdtUvGZm0QYBvJWHer9dE6epm9qOTBtt vwAX3NVtBl3f3yP0E4gf1X+e0cstBSBHCpIH3ldROsO5rDQ1+RtUsHMbnDjLCts7HSLpFO 8WeE5HiDhPIj1vaPQEmrISRQfTpymA9CXq7cwQAOi6UXUEZF7vn+XF+u9KJ511BtLWZGjY znDCW9Gfc/Bm5W2PInJhniLJ2dWNXHA05CU54pK8kn9PoVj7FKlMaB3lDHm/AA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zancanaro.id.au header.s=k1 header.b=iD+wFiTy; dmarc=fail reason="SPF not aligned (relaxed)" header.from=zancanaro.id.au (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706621750; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=C2a8AO/R4Efixesgmf/Y5RvMtuL8yw89eOu//h+uCBM=; b=GYlnN//XsLlcsSIwp8ghIFXl9/FH5lPZ0fkU8ivMc4ZYrYWRWUUcmxqWcNpZVBlKtYvxaB olThdk/uaTj3L3k6cKqEUVykyMBNbMsTQdkEhk3BOBvNeEx1b7HcnZZdJDooMJF4QFnPVm dT3amLob1KWzPEcaZczc3SSjfV/P2Zg/9Sxeod6A+1VEqxwj/kzF9bJs7H6/CCG8izSDQb vEu4KcW1OPfeTwc4N+GodlrfianKFZjCOltA0tt7MgwddNDLQOPB+JaDH41TBIfoy0IYgM m9WTTZs/5KCr61BWILPPJW3RlAzTHNeOi2G9AeohDxZggu7lnMuRMTU+56FPMw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CDB1FC6D1 for ; Tue, 30 Jan 2024 14:35:50 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rUoFS-0007Qa-U6; Tue, 30 Jan 2024 08:33:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUoFO-0007PK-Lb for bug-guix@gnu.org; Tue, 30 Jan 2024 08:33:56 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rUoFN-0006DM-CL for bug-guix@gnu.org; Tue, 30 Jan 2024 08:33:53 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rUoFV-0003zo-Tz for bug-guix@gnu.org; Tue, 30 Jan 2024 08:34:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 30 Jan 2024 13:34:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170662163515329 (code B ref 46961); Tue, 30 Jan 2024 13:34:01 +0000 Received: (at 46961) by debbugs.gnu.org; 30 Jan 2024 13:33:55 +0000 Received: from localhost ([127.0.0.1]:34631 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFP-0003z6-2x for submit@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:55 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:48442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rUoFM-0003yr-E5 for 46961@debbugs.gnu.org; Tue, 30 Jan 2024 08:33:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=C2a8AO/R4Efixes gmf/Y5RvMtuL8yw89eOu//h+uCBM=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=iD+wFiTyECZGtkmTXN4hLZ/YMWYw31Nt5q3S9 exkKkyKU2zIzpnm7siDky2YXHuqv3QLtlT+sQx9noPcQbbo9gKMlstegsT1BdFa7nr6I29 4yno2eusV6FT+WnhwJF94K63MRq/seOl6HawXu7TyGF85UtLzAGCrA7JDeTkBPyA= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id ceec39b4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:26 +0000 (UTC) From: Carlo Zancanaro Date: Tue, 30 Jan 2024 13:26:36 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx10.migadu.com X-Spam-Score: -3.79 X-Migadu-Queue-Id: CDB1FC6D1 X-Migadu-Spam-Score: -3.79 X-TUID: Gz8RhFONMboX Message-ID: <20240130132636.hRny34A5Xh3HLOeRkWL9lFt7Y9M0pTHN8nqI_-vnu9g@z> Hi Guix, This patch series is a few changes to make certbot default to doing "the right thing" in the common case of wanting certificates for an nginx web server. The initial change (in v1 of these patches) was to solve the certbot bootstrapping problem. Nginx won't start without valid certificates, but certbot can't produce certificates without a functional nginx. This is solved by generating self-signed certificates to start with, and then replacing them once certbot has run. Doing this requires storing certificates in a different location (because certbot is very particular). I've chosen /etc/certs/. The other two changes (new to v2 of this series) make things a bit easier to use: a one-shot shepherd service to renew certificates when the machine starts up, and a default deploy-hook to reload the nginx configuration (which picks up the new certificates). I think these changes make certbot "do the right thing", at the expense of being slightly more magical. On IRC podiki suggested I should copy guix-devel and Brice (the original bug reporter), so I've done that, too. Carlo Zancanaro (4): services: certbot: Symlink certificates to /etc/certs. services: certbot: Create self-signed certificates before certbot runs. services: certbot: Add a default deploy hook to reload nginx. services: certbot: Add one-shot service to renew certificates. doc/guix.texi | 38 ++++++--- gnu/services/certbot.scm | 178 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 188 insertions(+), 28 deletions(-) base-commit: 144c95032e517bb8ce466b930fe91506bcc92b2b -- 2.41.0