* issues.guix.gnu.org certificate expired
@ 2024-06-16 23:08 Andy Tai
2024-06-17 7:30 ` Christopher Baines
0 siblings, 1 reply; 6+ messages in thread
From: Andy Tai @ 2024-06-16 23:08 UTC (permalink / raw)
To: guix-devel
trying to connect to is using Firefox, Firefox says:
----
Did Not Connect: Potential Security Issue
Firefox detected an issue and did not continue to issues.guix.gnu.org.
The website is either misconfigured or your computer clock is set to
the wrong time.
It’s likely the website’s certificate is expired, which prevents
Firefox from connecting securely.
The issue is most likely with the website, and there is nothing you
can do to resolve it. You can notify the website’s administrator about
the problem.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: issues.guix.gnu.org certificate expired
2024-06-16 23:08 issues.guix.gnu.org certificate expired Andy Tai
@ 2024-06-17 7:30 ` Christopher Baines
2024-06-17 11:03 ` [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates Carlo Zancanaro
0 siblings, 1 reply; 6+ messages in thread
From: Christopher Baines @ 2024-06-17 7:30 UTC (permalink / raw)
To: Andy Tai; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 664 bytes --]
Andy Tai <atai@atai.org> writes:
> trying to connect to is using Firefox, Firefox says:
>
> ----
> Did Not Connect: Potential Security Issue
>
> Firefox detected an issue and did not continue to issues.guix.gnu.org.
> The website is either misconfigured or your computer clock is set to
> the wrong time.
>
> It’s likely the website’s certificate is expired, which prevents
> Firefox from connecting securely.
>
> The issue is most likely with the website, and there is nothing you
> can do to resolve it. You can notify the website’s administrator about
> the problem.
I've restarted NGinx on berlin now to address the immediate issue.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.
2024-06-17 7:30 ` Christopher Baines
@ 2024-06-17 11:03 ` Carlo Zancanaro
2024-06-17 13:26 ` Ludovic Courtès
0 siblings, 1 reply; 6+ messages in thread
From: Carlo Zancanaro @ 2024-06-17 11:03 UTC (permalink / raw)
To: Christopher Baines; +Cc: Andy Tai, guix-devel, guix-sysadmin
* hydra/modules/sysadmin/services.scm (%certbot-deploy-hook): New
variable.
(%certbot-job): Pass %certbot-deploy-hook to certbot invocation.
---
I think this patch should resolve the certificate issue more
permanently. I haven't tested it at all, but I mostly just stole it
from Guix's certbot service. I know it works there, so I'm just
assuming it will work here, too.
hydra/modules/sysadmin/services.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/hydra/modules/sysadmin/services.scm b/hydra/modules/sysadmin/services.scm
index 128b0c1..3d996f5 100644
--- a/hydra/modules/sysadmin/services.scm
+++ b/hydra/modules/sysadmin/services.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2023 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2023 Lars-Dominik Braun <ldb@leibniz-psychology.org>
;;; Copyright © 2024 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2024 Carlo Zancanaro <carlo@zancanaro.id.au>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
@@ -616,11 +617,19 @@ to a selected directory.")
`(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+(define %certbot-deploy-hook
+ ;; Reload nginx after a new certificate is deployed.
+ (with-imported-modules '((gnu services herd))
+ #~(begin
+ (use-modules (gnu services herd))
+ (with-shepherd-action 'nginx ('reload) result result))))
+
+
(define %certbot-job
;; Attempt to renew the Let's Encrypt certificate twice a week.
#~(job "30 0 * * 2,5"
(string-append #$certbot "/bin/certbot renew \
---webroot --webroot-path /var/www")))
+--webroot --webroot-path /var/www --deploy-hook " #$certbot-deploy-hook)))
\f
base-commit: 489fc437c7b3aa0af41a40d6090eb4c51ced0028
--
2.41.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.
2024-06-17 11:03 ` [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates Carlo Zancanaro
@ 2024-06-17 13:26 ` Ludovic Courtès
2024-06-17 23:35 ` Carlo Zancanaro
0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2024-06-17 13:26 UTC (permalink / raw)
To: Carlo Zancanaro; +Cc: Christopher Baines, Andy Tai, guix-devel, guix-sysadmin
Hi,
Carlo Zancanaro <carlo@zancanaro.id.au> skribis:
> * hydra/modules/sysadmin/services.scm (%certbot-deploy-hook): New
> variable.
> (%certbot-job): Pass %certbot-deploy-hook to certbot invocation.
Applied, thanks!
> I think this patch should resolve the certificate issue more
> permanently. I haven't tested it at all, but I mostly just stole it
> from Guix's certbot service. I know it works there, so I'm just
> assuming it will work here, too.
Right. However, issues.guix.gnu.org is actually hosted on bayfront,
which uses ‘certbot-service-type’ already (see ‘hydra/bayfront.scm’).
Could it be that it’s not working as advertised?
Ludo’.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.
2024-06-17 13:26 ` Ludovic Courtès
@ 2024-06-17 23:35 ` Carlo Zancanaro
2024-06-18 12:46 ` Andreas Enge
0 siblings, 1 reply; 6+ messages in thread
From: Carlo Zancanaro @ 2024-06-17 23:35 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel, guix-sysadmin
On Mon, Jun 17 2024, Ludovic Courtès wrote:
> Right. However, issues.guix.gnu.org is actually hosted on bayfront,
I'm not so sure about this. To make the change that I sent I grepped for
issues.guix.gnu.org and it showed up in hydra/nginx/berlin.scm in a
variable called %berlin-servers, which is used in %nginx-configuration
in that same file. This is included into hydra/berlin.scm and used in
the nginx configuration for berlin.guix.gnu.org.
From that, I assumed that issues.guix.gnu.org was hosted on berlin. If
I'm wrong about that then I'm very confused!
Carlo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.
2024-06-17 23:35 ` Carlo Zancanaro
@ 2024-06-18 12:46 ` Andreas Enge
0 siblings, 0 replies; 6+ messages in thread
From: Andreas Enge @ 2024-06-18 12:46 UTC (permalink / raw)
To: Carlo Zancanaro; +Cc: Ludovic Courtès, guix-devel, guix-sysadmin
Am Tue, Jun 18, 2024 at 09:35:10AM +1000 schrieb Carlo Zancanaro:
> I'm not so sure about this. To make the change that I sent I grepped for
> issues.guix.gnu.org and it showed up in hydra/nginx/berlin.scm
Indeed:
$ host issues.guix.gnu.org
issues.guix.gnu.org has address 141.80.181.40
$ host berlin.guix.gnu.org
berlin.guix.gnu.org has address 141.80.181.40
$ host bayfront.guix.gnu.org
bayfront.guix.gnu.org has address 185.233.100.56
So the issues are on (and with?) berlin.
Andreas
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-06-18 12:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-16 23:08 issues.guix.gnu.org certificate expired Andy Tai
2024-06-17 7:30 ` Christopher Baines
2024-06-17 11:03 ` [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates Carlo Zancanaro
2024-06-17 13:26 ` Ludovic Courtès
2024-06-17 23:35 ` Carlo Zancanaro
2024-06-18 12:46 ` Andreas Enge
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).