From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id TsbsE863emAg0AAAgWs5BA (envelope-from ) for ; Sat, 17 Apr 2021 12:26:22 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id iFlZC863emA6RgAA1q6Kng (envelope-from ) for ; Sat, 17 Apr 2021 10:26:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 07F18270A3 for ; Sat, 17 Apr 2021 12:26:22 +0200 (CEST) Received: from localhost ([::1]:46068 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXi9c-0000kQ-Ck for larch@yhetil.org; Sat, 17 Apr 2021 06:26:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58076) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXi9Q-0000k2-N7 for help-guix@gnu.org; Sat, 17 Apr 2021 06:26:08 -0400 Received: from mout.gmx.net ([212.227.15.15]:42287) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXi9O-0006Ax-FZ for help-guix@gnu.org; Sat, 17 Apr 2021 06:26:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1618655161; bh=t6wUGbotoA/BoCxndwxjH8J+YJNiC04vpL8Mh2p42xo=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date; b=GlzopmLt63xRch0386CgIHISzXLC8TuAYJxHE6XGXMTSbg7RNMM+Jsw8MJdeFDwne 2dpszty1pbKPCLxJe3H1WmpYGdQwLaEKTFGzq0EopahvXdg3CvH4VCtBlBKUaxtfNk ogJwR1S814y+gP61xESWQE0DPBixwrsuZl6Ex/fc= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from labiere ([82.69.64.142]) by mail.gmx.net (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N6sn7-1lacGU0UIh-018JLY; Sat, 17 Apr 2021 12:26:01 +0200 References: User-agent: mu4e 1.4.15; emacs 27.2 From: Pierre Langlois To: Raghav Gururajan Subject: Re: Certbot with DNS Challenge In-reply-to: Date: Sat, 17 Apr 2021 11:25:56 +0100 Message-ID: <87tuo5mcln.fsf@gmx.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Provags-ID: V03:K1:i86Bqn56viOMnDzcaV1vecT5ZQCIfpu8M/1M2P03iiC2bvbTPVc n/w+v/qYYF10yKaB2ZBEDsaSx5BOvCNAGSBPbArvMU6l86pnhe/d3EX3HO2OGrKD3SRhzaX ojoW/qJx9zaJjezFxuv5LUYM1ekjbbXitIM8NzCRvcLPsy3Mc99i6Er4sSJPjgSkqXQ0ifZ 8axzpTvJknVcEjPQ+ULvQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:ZqbcofMiuz8=:W3GGU7CgN9yFjSVjdBwRk9 BJZk3fRBXTAXxDaBRO8523uN/OjBX383QoqTqH+esduxkM6EOsK+4HzV+MMIgpjdRkiko9LLP 0Q+aId5BPAPnSEOCXBYA3ZI6ghyA9d688VZrHpHFT16hcMsQzkC5qqOrBVd33/XkxHTf8e0EA sEumKlBzWcR0jTO5nb6+ZSIGRLiZJx2i5ZxYuqcXe1nedbGbh/svtk3MBOhTu8IuHBgvOWneK r2GbYCHdXnCtSb90PlEA+0WSykkHHOvdsj5q16EnPoWSOTeaUHNg1hZxGrpBpYykxTAiKthEH VpNy4ndvEpvsAlGixXRvUOG0YSIdzZ8z4zbrSXKiBMQBK/GcbLFQwSeZKsx1qXwcTiM32VCJQ LQk4f84FemmKfOVGUWBkSbUpmBDRyXtGiKhmmaGSlW60As5kWphBqlKo9kQyrWWIQFO2vxFGP hED4EEaiwj4EvzItxNRDCDt2xC/9eNxZVAnAb6PksMJzoPr0X3Tvc19yElFg04PKZ6dJ7m/Ru yeBLEB9AvWyfjCxf7DAXtpFY6mN+6+Jlo9fIqGxf8ETSKADoNsAlLlhFQHrwz0hz4taap/CBg CWiVhNYvI2kcB3WCTPTedaYskK6k3hmGOl+RVagu3iusUmem0kPnToGMy2ApeRnVConuQ0IIn STTclQD70wAGJ0F5laBSmW4JmvRAyFG1oxJ/poZt2J4i2919QAC4cPrVkbcj+ZPJIZX8TQ3hi ALTFidxy0KwLC6eM64jo8xylReDR/EY78hQiIxScfoWsihohGzzoQBGAFkl4jYxUZMDWo32jI pOewwyRsDkWxsqfdI8Kgz3SpBboeWYAkdeDuGe9QS7ZfGxq/3RK91DXDsQAU/QjKq4QnWPIwT rOvchn4LJ7NmT4dDx9cK4axei9eqWtfA/n98ykvznu64oWd5pLax2vuKIxQzlSQUBchMuSSyN 9gQUbqoEdF91CcJIFzLqnR7uroOp7BPmJmKK8jNHBRqKETd+i//HEtaTujV4mAT2eb8MVPzsY 1TTs2KesSwK9Lz+t8yAH2RhQ83zUMFxgH3dUkCppe+gbbUi2EUgYJbQs/HAXQ+gtVlpiT8dI8 I1agi5LVNOVjljVmU0yxcwTJNZtVFKjWYIM7uWly/J5F/JLR1lX2QN6SdsGHSx+ZBEFPdrJG7 X1xuotqPhNGgrY+rEMwVTloBzMGu8u0RG5gy/w9n02bTK08Z1JiQ/S9iIMU1+7ped0CJ4n1y6 kwiid6GVkSFfUPrMa Received-SPF: pass client-ip=212.227.15.15; envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.00 Authentication-Results: aspmx1.migadu.com; none X-Migadu-Queue-Id: 07F18270A3 X-Spam-Score: -4.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: GJNKXYC7EIc7 --=-=-= Content-Type: text/plain Hi Raghav, Raghav Gururajan writes: > Hello Guix! > > For certbot-service-type, the manual has an example for HTTP challenge. I was > wondering if anyone has an example for DNS challenge? It just happens I set it up on my LAN a month ago, it worked really well! I'm using gandi as the provider and I've got a config like this that creates a wildcard certificate that can be used for any services on the LAN (I use it for nginx with cgit, and a locap IMAP server). --8<---------------cut here---------------start------------->8--- (define certbot-authentication-hook (program-file "certbot-authentication-hook" (with-imported-modules '((guix build utils)) #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")) (validation (getenv "CERTBOT_VALIDATION"))) (use-modules ((guix build utils))) (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") (invoke gandi "dns" "create" "example.com" "_acme-challenge" "TXT" validation))))) (define certbot-cleanup-hook (program-file "certbot-cleanup-hook" (with-imported-modules '((guix build utils)) #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))) (use-modules ((guix build utils))) (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT"))))) (...) (service certbot-service-type (certbot-configuration (email "me@example.com") (certificates (list (certificate-configuration (domains '("*.example.com")) (challenge "dns") (authentication-hook certbot-authentication-hook) (cleanup-hook certbot-cleanup-hook)))))) --8<---------------cut here---------------end--------------->8--- I did need to store a secret API key on the file system in /etc/gandi/config.yaml. As a tip, when working on this it was very useful to be able to pass the --dry-run option to certbot, and use development acme server temporarily. Otherwise if you do too many attempts on the regular server you eventually get blocked because of limit rates. But if you use the dev server, then you have to use --dry-run as well. I've actually got patches up for the dry-run flag if you need them: https://issues.guix.gnu.org/47136. Let me know if you test them or/and have any feedback! Thanks, Pierre --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmB6t7QYHHBpZXJyZS5s YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UsyYH/1d/3ByfkwkCd1aucYveyg1r 8tB+E1iuXoWWxKqeA1yK9KyC1DC0kdNWSKkaTtiCdrgmCRf/N9pYsn5S2RNHbpAh Xm1iP+2yONax6ggpwe12ZEEj//UlW3WWCra+duOSXbY1702X7lrOFPIX4bB+x7ea sIbiNwfnUOwD+9wZwCiqNthQKVLN9rqFx3gGqDci8EKh8Q/X+c63gxoOhgFejyVJ K+1BhTv0wm44iwC94xSX4Hn/sM8arnHHJp+bkz2t7Mt3b9+6c+iUCPPbnuNLPpta BH6eRP5kv3hcFAFnLngmtos2lMmaBs2uihK3JLCBXwPDdUVoIY0tjzFoOj1FIB0= =H5eR -----END PGP SIGNATURE----- --=-=-=--