From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55428) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e70al-0006fs-7c for guix-patches@gnu.org; Tue, 24 Oct 2017 10:54:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e70ag-0000jc-8n for guix-patches@gnu.org; Tue, 24 Oct 2017 10:54:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:51335) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e70ag-0000jW-4F for guix-patches@gnu.org; Tue, 24 Oct 2017 10:54:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1e70af-0008QX-Qq for guix-patches@gnu.org; Tue, 24 Oct 2017 10:54:01 -0400 Subject: [bug#26685] certbot service experience Resent-Message-ID: Date: Tue, 24 Oct 2017 10:53:24 -0400 From: Leo Famulari Message-ID: <20171024145324.GA20280@jasmine.lan> References: <87tw56dhlp.fsf@dustycloud.org> <87eft3a804.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Tobias Geerinckx-Rice Cc: wingo@igalia.com, 26685@debbugs.gnu.org, clement@lassieur.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 27, 2017 at 07:30:48PM +0200, Tobias Geerinckx-Rice wrote: > If nobody objects, I'd like a few days to play with this before it gets > merged. It's a fine service, but I think it privileges the =E2=80=98--web= root=E2=80=99 > plugin too much (=E2=80=98-w=E2=80=99 is a plugin-specific option, not gl= obal). I'd > rather not have my mail box spin up nginx... I agree that we should, in the long run, offer a more generalized ACME client service. However, the --webroot method is not specific to any of the other plugins. Instead, it is a general purpose method of obtaining and renewing signed x509 certificates with a running webserver. Certbot requires no server-specific configuration with this method, and the server only needs to be configured to serve a particular directory which will contain the temporary cryptographic "challenge" file. It's not a very tight coupling. Since serving HTTPS is, in practice, one of the primary use cases for the x509 CA system (as opposed to self-signed certs), I think we should add the service as-is and let people generalize it as they see fit later on. --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnvU+EACgkQJkb6MLrK fwjQBxAAggHL1vAZUUOrpz97iGVYMkSZJkEw5f5rowAdo6je/GjSEMrQX7Qm0Mf7 cYJkp0V8JUJLF/RV6lJPhJ/ZY2GnUHvPYWiWeAOujF2qDCcb1xVHITiLvblzwnpr g/9FgJ/JskYDEh1C0c3YPK5AUfbWTWwbC29GXwng4y20Jw7/uPN2XNNlXdW2FDMb jk7f8ii5fm7QwFNvRUwIlIj/EUOaIr5HYz4JTELoLlhiGBo35DPUuKNbaooi01As xEGU8+Fta9rOLdKwAL4wYeUPIvbRC1xz4MbvwTw3CykfJAYAqVVP1HYK6bhx3Ubx cAVVMYgDcoVFLzBOVUMT/gtoc0whRtR01cb+TOvzBC+Mg5OyXG4uxhBkpAmMb+zv AjhU+yK0Bgw7OJvBnoga6GrlpkBOJsRI5tS+Eefyt+kLxIe8yv8VuNS6trpr7Hmr e9htO5dy7DT/t23++gEorh74vqVTlEnTLdQ7FLAJwhY1fjvZDlx40DEFCKhx3KZh 5/4cpIyvaOG7Vi3gWjkJaopbSS7mNxC4ktCJ+TqQD765bKz737ibniGJOc2sfIiO QEL+HAhZoXep+bb0JSU/b7tdnt7iCtil93d0QlRBuuj4EpLzdypxyUFEaoxL8j0N IVadu7n9+4rum1kCGrfZgCRFQGOqz1CBZB4nHt+KVIFuJBQeR20= =Yhq9 -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu--