Re: Certbot with DNS Challenge

[Pierre Langlois <pierre.langlois@gmx.com>]

[-- Attachment #1: Type: text/plain, Size: 3194 bytes --]


Raghav Gururajan writes:

> Hi Pierre!
>
>> --8<---------------cut here---------------start------------->8---
>> (define certbot-authentication-hook
>>    (program-file "certbot-authentication-hook"
>>      (with-imported-modules '((guix build utils))
>>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
>>                (validation (getenv "CERTBOT_VALIDATION")))
>>            (use-modules ((guix build utils)))
>>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>>            (invoke gandi "dns" "create" "example.com" "_acme-challenge" 
> "TXT" validation)))))
>> (define certbot-cleanup-hook
>>    (program-file "certbot-cleanup-hook"
>>      (with-imported-modules '((guix build utils))
>>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
>>            (use-modules ((guix build utils)))
>>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>>            (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT")))))
>> (...)
>> (service certbot-service-type
>>    (certbot-configuration
>>      (email "me@example.com")
>>      (certificates
>>        (list
>>          (certificate-configuration
>>            (domains '("*.example.com"))
>>            (challenge "dns")
>>            (authentication-hook certbot-authentication-hook)
>>            (cleanup-hook certbot-cleanup-hook))))))
>> --8<---------------cut here---------------end--------------->8---
>
> Thank you so much! I appreciate it.
>
> I am using deSEC (https://desec.io) and have their hook.sh
> (https://github.com/desec-io/desec-certbot-hook) stored as 
> "/etc/desec/hook.sh" on my system.
>
> So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh",
> right?

Is the "hook.sh" script copied directly from the desec-certbot-hook
package? In which case, I think you'll want to use `file-append` to
directly refer to the package's script, something like this?

--8<---------------cut here---------------start------------->8---
(authentication-hook (file-append desec-certbot-hook "/etc/hook.sh")
(cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh")
--8<---------------cut here---------------end--------------->8---

If you look at the Gexp part of the manual, there's more info on what's
available to build those procedures:
https://guix.gnu.org/manual/en/guix.html#G_002dExpressions

That's off the top of my head!

>
> Also, does using "*.example.com" means that the generated cert can be used both
> for apex/naked domain and any of the subdomains?

I /believe/ so yeah, it's a wildcard certificate
(https://en.wikipedia.org/wiki/Wildcard_certificate) so that should
work. That's what I use personally so that I can use a certificate for
subdomains that only exist in the local network, that way the subdomain
names don't "leak" publicly. The drawback being I only get a single
certificate for multiple things.

I suppose if you're setting up public facing services with subdomains,
you're probably better off with different certificates for each. My
knownledge of DNS stuff is pretty limited though.

Hope that's useful!

Pierre

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]