[bug#36998] [PATCH] services: certbot: Add --manual-public-ip-logging-ok for manual challenges

[Carlo Zancanaro <carlo@zancanaro.id.au>]

[-- Attachment #1: Type: text/plain, Size: 1545 bytes --]

Hey Ludo’,

On Wed, Sep 11 2019, Ludovic Courtès wrote:
> Perhaps we should pass --manual-public-ip-logging-ok only when 
> ‘challenge’ has the expected value (DNS challenge type; what’s 
> the value for that?), and also document that prominently in the 
> manual?

My understanding is that this flag is necessary for any manual 
challenge type, it's just that our default HTTP challenge doesn't 
use a "manual" challenge type. For a DNS challenge the value for 
challenge should be "dns".

I was a little torn about documenting it in the manual, because 
using the manual IP logging doesn't leak any more information than 
the standard HTTP challenge type. There is a certbot issue 
discussing the problem for manual challenges[1], and the problem 
is when one requests the certificate from a different machine to 
the one that will use the certificate. This doesn't seem to be the 
natural use case for the Guix certbot-service-type, so I didn't 
feel it was necessary to add it to the manual. I'm also fairly 
sure that the logged IPs are not publicly available at the moment, 
based on this[2] and this[3].

Given all of that, I have attached a patch with a small update to 
the manual. I don't think I'd describe it as "prominent", but it 
does mention it in an appropriate place.

Carlo

[1]: https://github.com/certbot/certbot/issues/991
[2]: 
https://community.letsencrypt.org/t/public-logging-of-requesting-ip-addresses/64077
[3]: https://community.letsencrypt.org/t/public-ip-logging/89712


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-services-certbot-Add-manual-public-ip-logging-ok-for.patch --]
[-- Type: text/x-diff, Size: 1931 bytes --]

From a2622f26474685378aad1b2dbf4fbcc66f14358e Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro <carlo@zancanaro.id.au>
Date: Sat, 10 Aug 2019 22:52:50 +1000
Subject: [PATCH] services: certbot: Add --manual-public-ip-logging-ok for
 manual challenges

* gnu/services/certbot.scm (certbot-command): Add
  --manual-public-ip-logging-ok flag to the certbot command when doing a
  manual challenge.
---
 doc/guix.texi            | 4 +++-
 gnu/services/certbot.scm | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 043851e418..9f550f65e1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20146,7 +20146,9 @@ all domains will be Subject Alternative Names on the certificate.
 The challenge type that has to be run by certbot.  If @code{#f} is specified,
 default to the HTTP challenge.  If a value is specified, defaults to the
 manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and
-the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}).
+the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
+and gives Let's Encrypt permission to log the public IP address of the
+requesting machine.
 
 @item @code{authentication-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge to be
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index ae34ad17bb..0d3be03383 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -99,6 +99,7 @@
                             "--manual"
                             (string-append "--preferred-challenges=" challenge)
                             "--cert-name" name
+                            "--manual-public-ip-logging-ok"
                             "-d" (string-join domains ","))
                       (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
                       (if authentication-hook
-- 
2.23.0