From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([209.51.188.92]:55110) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hHb3H-0001Mx-9b for guix-patches@gnu.org; Fri, 19 Apr 2019 17:28:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hHb3F-0006E9-CT for guix-patches@gnu.org; Fri, 19 Apr 2019 17:28:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59505) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hHb3D-0006De-3w for guix-patches@gnu.org; Fri, 19 Apr 2019 17:28:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hHb3C-00016D-WA for guix-patches@gnu.org; Fri, 19 Apr 2019 17:28:03 -0400 Subject: [bug#35330] [PATCH] gnu: certbot: Add support for manual plugin. Resent-Message-ID: Received: from eggs.gnu.org ([209.51.188.92]:54466) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hHb2J-0000YG-Km for guix-patches@gnu.org; Fri, 19 Apr 2019 17:27:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hHayr-0003Te-B6 for guix-patches@gnu.org; Fri, 19 Apr 2019 17:23:34 -0400 Received: from lepiller.eu ([2a00:5884:8208::1]:50396) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hHayq-0003Sy-I0 for guix-patches@gnu.org; Fri, 19 Apr 2019 17:23:33 -0400 Received: from localhost.localdomain (89-92-10-229.hfc.dyn.abo.bbox.fr [89.92.10.229]) by lepiller.eu (OpenSMTPD) with ESMTPSA id 72de940e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Fri, 19 Apr 2019 21:23:30 +0000 (UTC) From: Julien Lepiller Date: Fri, 19 Apr 2019 23:23:20 +0200 Message-Id: <20190419212320.20256-1-julien@lepiller.eu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 35330@debbugs.gnu.org * gnu/services/certbot.scm (certificate-configuration): Add challenge, auth-hook and cleanup-hook fields. (certbot-command): Use them. * doc/guix.texi (Certificate Services): Document them. --- doc/guix.texi | 19 +++++++++++++++++++ gnu/services/certbot.scm | 38 ++++++++++++++++++++++++++++---------- 2 files changed, 47 insertions(+), 10 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 8c7522f286..7bbec33d10 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -19416,6 +19416,25 @@ Its default is the first provided domain. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. +@item @code{challenge} (default: @code{#f}) +The challenge type that has to be run by certbot. If @code{#f} is specified, +default to the http challenge. If a value is specified, defaults to the +manual plugin (see @code{auth-hook} and @code{cleanup-hook}). + +@item @code{auth-hook} (default: @code{#f}) +Command to be run in a shell once for each certificate challenge to be +answered. For this command, the shell variable @code{$CERTBOT_DOMAIN} +will contain the domain being authenticated, @code{$CERTBOT_VALIDATION} +contains the validation string and @code{$CERTBOT_TOKEN} contains the +filename of the resource requested when performing an HTTP-01 challenge. + +@item @code{cleanup-hook} (default: @code{#f}) +Command to be run in a shell once for each certificate challenge that +have been answered by the @code{auth-hook}. For this command, the shell +variables available in the @code{auth-hook} script are still available, and +additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output +of the @code{auth-hook} script. + @item @code{deploy-hook} (default: @code{#f}) Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 7565bc97ca..95c39684cf 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -50,6 +50,12 @@ (default #f)) (domains certificate-configuration-domains (default '())) + (challenge certificate-configuration-challenge + (default #f)) + (auth-hook certificate-auth-hook + (default #f)) + (cleanup-hook certificate-cleanup-hook + (default #f)) (deploy-hook certificate-configuration-deploy-hook (default #f))) @@ -81,17 +87,29 @@ (commands (map (match-lambda - (($ custom-name domains - deploy-hook) + (($ custom-name domains challenge + auth-hook cleanup-hook deploy-hook) (let ((name (or custom-name (car domains)))) - (append - (list name certbot "certonly" "-n" "--agree-tos" - "-m" email - "--webroot" "-w" webroot - "--cert-name" name - "-d" (string-join domains ",")) - (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))) + (if challenge + (append + (list name certbot "certonly" "-n" "--agree-tos" + "-m" email + "--manual" + (string-append "--preferred-challenges=" challenge) + "--cert-name" name + "-d" (string-join domains ",")) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if auth-hook `("--manual-auth-hook" ,auth-hook) '()) + (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (append + (list name certbot "certonly" "-n" "--agree-tos" + "-m" email + "--webroot" "-w" webroot + "--cert-name" name + "-d" (string-join domains ",")) + (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) certificates))) (program-file "certbot-command" -- 2.21.0