From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id vqmFIR86Q2CvIwAA0tVLHw (envelope-from ) for ; Sat, 06 Mar 2021 08:15:27 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id hTceHR86Q2CpcgAA1q6Kng (envelope-from ) for ; Sat, 06 Mar 2021 08:15:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 30FC71355A for ; Sat, 6 Mar 2021 09:15:26 +0100 (CET) Received: from localhost ([::1]:34276 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lIS5t-0005L8-RQ for larch@yhetil.org; Sat, 06 Mar 2021 03:15:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49890) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIS5k-0005Ky-6N; Sat, 06 Mar 2021 03:15:16 -0500 Received: from relay13.mail.gandi.net ([217.70.178.233]:36953) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIS5h-0000rW-Kz; Sat, 06 Mar 2021 03:15:15 -0500 Received: from localhost (i15-les02-ntr-176-181-186-101.sfr.lns.abo.bbox.fr [176.181.186.101]) (Authenticated sender: brice@waegenei.re) by relay13.mail.gandi.net (Postfix) with ESMTPSA id 06F1F8000B; Sat, 6 Mar 2021 08:15:07 +0000 (UTC) From: Brice Waegeneire To: bug-guix@gnu.org Subject: Nginx and certbot cervices don't play well togther Date: Sat, 06 Mar 2021 09:15:04 +0100 Message-ID: <87pn0cy9yv.fsf@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=217.70.178.233; envelope-from=brice@waegenei.re; helo=relay13.mail.gandi.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615018527; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=5QQzpC/RZmm/jAW7V+8+xSv+bs3llb0xXJh1RfQnd1E=; b=E7da5Sjq79+bes+OlirUFHd7h3XNeSWXXKP8RXTA7L9FqIiTa0v0BI+WTK7I4KA60oUj4r uiMUcg6tzE1SC+Q7eSe+pto87oajeVPFoulHIcx17tsWFdT+OQkHyk2lV/NOzoqqj7P66A nl/3BpuN20sJLiIIBnsxuk7v7STC8YS3RolDjT61GaQ81JDVF+KWiL8st/bmP5IV4qkFto /29dwNfGeaAru/BOpx9HnSGgW0lGtcqdZbqco486zr+e0ikW1NLlX2Yn3bD4lNFEJJCewG 4D4Db++ogGIwCT03RhrXGntzuc9GA+ECGhZclXt7VXTiUCot5dVr+5AaN3uVzA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615018527; a=rsa-sha256; cv=none; b=iCM1cUbXImTus9RPzclMR5+tBGGePvkGd6719rWqgsVbdAlpWXUHF326Y2U/NMmO2dHIxQ flIcyT4M4U8QbCUSI/SoMRDvm0zMsi+6ZJVQHaRLOZK+gMXDJIK2/WGWqUASy+b86QDB29 BKEf7oNMRRFoqFFVfDRuXOVBRwe2136YToSqQyHwheXtf9cz+zX9yFb1/SdaHLssy5llF5 jqaOgPZZJvow6R/Q6RPThrR5N6+OSqqaYN6UxqsPgSnCMsuclkpwVsiN7DW0BXacY9IBBu sqZz/M8QC6hfdWU0q+NqFsT2QyUw+YV8y/bELNuUR6t5+tl8dW4PUtdwJawE4Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.37 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 30FC71355A X-Spam-Score: -2.37 X-Migadu-Scanner: scn0.migadu.com X-TUID: v0EAF5QaNQqT Hello Guix, After an suggestion from Tobias to give a try at forcing HTTPS for Guix's websites on berlin, I had a go at it but it was more complex that what I was expecting. Looking deeper at nginx and certbot services it appear both services don't play that well together, requering a inital dance when deploying a new HTTPS virtual server. As explained in #36389=C2= =B9 you need to: =C2=AB - run system configuration with just the certbot service - use certbot to generate your initial certificates - reconfigure with additional nginx server configuration, pointing to the SSL certificates created by certbot =C2=BB Indeed, with an operating-system continaing the following services it's impossible to sart Nginx and Certbot at once as one would expect: --8<---------------cut here---------------start------------->8--- (service nginx-service-type) (service php-fpm-service-type) (service certbot-service-type (certbot-configuration (certificates (list (certificate-configuration (domains '("test.sama.re")) (deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx= .pid" read))) (kill pid SIGHUP))))))))) (cat-avatar-generator-service #:configuration (nginx-server-configuration (listen '("443 ssl")) (server-name '("test.sama.re")) (ssl-certificate "/etc/letsencrypt/live/test.sama.re/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/test.sama.re/privkey.pem"))) --8<---------------cut here---------------end--------------->8--- Here is the error from reconfiguring the system: --8<---------------cut here---------------start------------->8--- # guix system reconfigure /etc/config.sm [...] building /gnu/store/55cq2ja4i5489s55viv9fh50032d1ziy-switch-to-system.scm.d= rv... making '/gnu/store/p2rkcmrnpls5py7x2iappf2qcbxwlb95-system' the current sys= tem... setting up setuid programs in '/run/setuid-programs'... populating /etc from /gnu/store/k2kb8hsq3q0dhhad4a9pjh4kx32mn4g0-etc... /var/lib/certbot/renew-certificates may need to be run creating nginx log directory '/var/log/nginx' creating nginx run directory '/var/run/nginx' creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,= uwsgi,scgi}_temp' nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/test.sama.re/= fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:f= open:No such file or directory:fopen('/etc/letsencrypt/live/test.sama.re/fu= llchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx= .conf test failed `/gnu/store/jyxc290q7jyhhpalski0h13h8z9zvnka-openssh-authorized-keys/bricew= ge' -> `/etc/ssh/authorized_keys.d/bricewge' The following derivation will be built: /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm.drv building /gnu/store/qlzbrmpx6wnhzqcpqi9yrbb6xva82kvr-install-bootloader.scm= .drv... guix system: bootloader successfully installed on '/dev/sda' The following derivation will be built: /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-services.sc= m.drv building /gnu/store/ikak44inrnz3b3dx8j8csdakgqafbijn-upgrade-shepherd-servi= ces.scm.drv... shepherd: Removing service 'dbus-system'... shepherd: Service dbus-system has been stopped. shepherd: Done. shepherd: Service host-name has been started. shepherd: Service user-homes has been started. shepherd: Service host-name has been started. shepherd: Service term-auto could not be started. shepherd: Service php-fpm has been started. guix system: warning: exception caught while executing 'start' on service '= nginx': Throw to key `%exception' with args `("#<&invoke-error program: \"/gnu/stor= e/hn1mvgafkpf5knrnzvwpgpdlzmq553al-nginx-1.19.6/sbin/nginx\" arguments: (\"= -c\" \"/gnu/store/chpw631djay2w39x7agg8zz53iayy4zy-nginx.conf\" \"-p\" \"/v= ar/run/nginx\") exit-status: 1 term-signal: #f stop-signal: #f>")'. guix system: warning: some services could not be upgraded hint: To allow changes to all the system services to take effect, you will = need to reboot. --8<---------------cut here---------------end--------------->8--- What happen is Nginx won't start because the certficate related files present in it's configuration doesn't exist and we can't get a Let's Encrypt certificate from a HTTP-01 challenge without that web server running. NixOS broke that chicken and egg problem by generating a self-signed certificate first, after that starting nginx, then requesting a valid Lets' Encrypt certificate and finally reloading Nginx. That way we end up with a Nginx server using Let's Encrypt certificate with no more that a simple system reconfiguration. Note that, the initial self-signed certificate will need to be at the path were certbot will put it's own certificate. WDYT? =C2=B9 https://bugs.gnu.org/36389 Cheers, - Brice