From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:bcc0::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id CIjLMHgPe2Bc7QAAgWs5BA
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 17 Apr 2021 18:40:24 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id QOVOLHgPe2D3QgAA1q6Kng
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 17 Apr 2021 16:40:24 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 76ED9C2ED
	for <larch@yhetil.org>; Sat, 17 Apr 2021 18:40:24 +0200 (CEST)
Received: from localhost ([::1]:43380 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lXnzb-0007aA-7D
	for larch@yhetil.org; Sat, 17 Apr 2021 12:40:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56644)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1lXnzS-0007a3-5G
 for help-guix@gnu.org; Sat, 17 Apr 2021 12:40:14 -0400
Received: from mout.gmx.net ([212.227.17.21]:35649)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1lXnzP-0005Cy-PX
 for help-guix@gnu.org; Sat, 17 Apr 2021 12:40:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1618677608;
 bh=3kC2KydbsriOqVlhCe9xokO469KOQvZFUytt1GjP2Vc=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=Ycc+3+RR9yWftq2cPlj7dpp/3acw+9/rsanKfFSBdVGXsv5mDzvP/aaPxLCj9bvaE
 Pdg+nzhcf1oxoU9Q7SoEG6bxy+0ULfMEGKRHOgHAv9EYKpBX8PwF8FVU6NyWLSN4lP
 sO/nkrflRLTgc6C8NqHK0GmL5bBrhAH9FOx5uTxY=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from labiere ([82.69.64.142]) by mail.gmx.net (mrgmx105
 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MxDou-1lj1Hr3vfU-00xdY3; Sat, 17
 Apr 2021 18:40:08 +0200
References: <ddf20f7d-60b3-df97-56c3-127a9c83d3ee@raghavgururajan.name>
 <87tuo5mcln.fsf@gmx.com>
 <fbc242a8-d916-3ece-58dc-24e0f979d939@raghavgururajan.name>
User-agent: mu4e 1.4.15; emacs 27.2
From: Pierre Langlois <pierre.langlois@gmx.com>
To: Raghav Gururajan <rg@raghavgururajan.name>
Subject: Re: Certbot with DNS Challenge
In-reply-to: <fbc242a8-d916-3ece-58dc-24e0f979d939@raghavgururajan.name>
Date: Sat, 17 Apr 2021 17:40:03 +0100
Message-ID: <87v98klva4.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Provags-ID: V03:K1:iKomDbFuzpt3RbBH2p/Q/ISrdFthUfssrfEIM7LTMmVsPvuNyJD
 /nobLC7cQngKuQh9aYdx2XlJxZkgH4+PB/PJJo1MX/V3eS5763B8RTxnmQQLhekIJH+eovW
 /l97Ux73c2tgStvK4PPPpX7FHpCXxYdJfQLlfADxupztqQC7kv4mBTV6ZTBdttdO2TH9iKu
 m1GUtqmwfKbjb2nG99M1Q==
X-UI-Out-Filterresults: notjunk:1;V03:K0:WZSj03JrVuM=:eOIDlfDsRLnR1ZEhaDb9/V
 vBX7L/lI/zJyAfdvZBI2o15J+ucJO7spcDDwQnntcj/DCDOkLx3m2LP7+Q3LtNn0y6Z7m9UdP
 diBU/cpTkJMS/IRuGqVV1rlER6B29ZCoYHHnt1S4ZpA0a4XZmMKlJMeB8fN4s6M6zgAibtGoL
 Z3aTlVB9NEnogGDeIBoyt2oL4ybHd5N8V3yIpaozXjxoNXKHybmikw4FvrdqfYMBJbrDhVpsJ
 K7zbNy+2TPKFOvHiYbtcUylsi5oTyZtbM/SzpCG7T/GfybleiSpXlwwThc+tPC7dHp44TRdJK
 LkPLP3C+0GVq1LFrZGVpJsqza4CxNmbssDzMegunej2n39arc7STrcxcCKB1Hn9IG+xNIE3C9
 w/NJXGS6Vl+IvjAzQOeHz5aSx2RquNgWe6SsO0FVhX+D1A2pmmgna78vr6t3pkMvagGO1NvFI
 rCx8GdcDaqfjx3bHCNkKIjvPQZb87t4vDVRYKk/0qAGHhNpYN9h2pfiMqpk9bBjFIa+vMM571
 C1NoEFkI48vuWAYYw0iJw2U2Fq0iEp0jCkfN3E8iW/aBvOTxej2ZxdC0zzGUkA5rVjHhyRSQJ
 vCRGnUnJgy8b8nRU8tD3o96gVQoM6r4AIiNLson5I4WIdZ2pslPiI/7VbNj3B1cYJMbhf9SuQ
 STWEVmoDOazzqWewGF5tGzwZrDuFE2zgeTUKEIIoTP9dnT4u5RFnfQNMaeayPcMqXyaJvLeuW
 ILCBZFVVmELviZSAoYaQaznsh0xlbHgWzzNaqospbqYT2LgSyrB6+FfRdWDxAIcn8ljbf25Qy
 NgKIs1ncvdO7XBqvYxCh99S2X+DcqfJO3en4jjviyZWCbGgUE1zUs/XxPSvIImxbB/3CszhnL
 aiUemvgc5zj8FKpQOAMQcjA7JbR9PGgeF7z/ShaCcwhk6cxpGeayDZE5DRF3Tb061gZwV3fM1
 yg7YHZxieFNtIMvTgZFq+urbobbJsbuwU3XUK3vilDSytafFq+bNDxpRMu1RtXN8O+yeoz1RL
 lQ8+t/ZMzoQwivQ1iggC8TgZRcsc36a5AP+kQm6pOV83i2vpiW9AsEdX05kjB4ohO/YCcQiKI
 zYNGagr2oJOK5jTAKvQJCfSb3MGQxhj0/E+TIjI/UbX0o1AfeJNTaAHmPKKiLclIxqo5W5bdv
 G9mor1zpK/IH3XgCyhkmDRBH/0kHs6EScmGKvslXIKNgJvvI8ll1bHx6jwmRnWrou35d3l46i
 L1OvyUJHg30PGpIdw
Received-SPF: pass client-ip=212.227.17.21;
 envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Cc: help-guix@gnu.org
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -4.00
Authentication-Results: aspmx1.migadu.com;
	none
X-Migadu-Queue-Id: 76ED9C2ED
X-Spam-Score: -4.00
X-Migadu-Scanner: scn0.migadu.com
X-TUID: MRfai8LiX50v

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Raghav Gururajan writes:

> Hi Pierre!
>
>> --8<---------------cut here---------------start------------->8---
>> (define certbot-authentication-hook
>>    (program-file "certbot-authentication-hook"
>>      (with-imported-modules '((guix build utils))
>>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
>>                (validation (getenv "CERTBOT_VALIDATION")))
>>            (use-modules ((guix build utils)))
>>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>>            (invoke gandi "dns" "create" "example.com" "_acme-challenge"=
=20
> "TXT" validation)))))
>> (define certbot-cleanup-hook
>>    (program-file "certbot-cleanup-hook"
>>      (with-imported-modules '((guix build utils))
>>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
>>            (use-modules ((guix build utils)))
>>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>>            (invoke gandi "dns" "delete" "--force" "example.com" "_acme-c=
hallenge" "TXT")))))
>> (...)
>> (service certbot-service-type
>>    (certbot-configuration
>>      (email "me@example.com")
>>      (certificates
>>        (list
>>          (certificate-configuration
>>            (domains '("*.example.com"))
>>            (challenge "dns")
>>            (authentication-hook certbot-authentication-hook)
>>            (cleanup-hook certbot-cleanup-hook))))))
>> --8<---------------cut here---------------end--------------->8---
>
> Thank you so much! I appreciate it.
>
> I am using deSEC (https://desec.io) and have their hook.sh
> (https://github.com/desec-io/desec-certbot-hook) stored as=20
> "/etc/desec/hook.sh" on my system.
>
> So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hoo=
k.sh",
> right?

Is the "hook.sh" script copied directly from the desec-certbot-hook
package? In which case, I think you'll want to use `file-append` to
directly refer to the package's script, something like this?

=2D-8<---------------cut here---------------start------------->8---
(authentication-hook (file-append desec-certbot-hook "/etc/hook.sh")
(cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh")
=2D-8<---------------cut here---------------end--------------->8---

If you look at the Gexp part of the manual, there's more info on what's
available to build those procedures:
https://guix.gnu.org/manual/en/guix.html#G_002dExpressions

That's off the top of my head!

>
> Also, does using "*.example.com" means that the generated cert can be use=
d both
> for apex/naked domain and any of the subdomains?

I /believe/ so yeah, it's a wildcard certificate
(https://en.wikipedia.org/wiki/Wildcard_certificate) so that should
work. That's what I use personally so that I can use a certificate for
subdomains that only exist in the local network, that way the subdomain
names don't "leak" publicly. The drawback being I only get a single
certificate for multiple things.

I suppose if you're setting up public facing services with subdomains,
you're probably better off with different certificates for each. My
knownledge of DNS stuff is pretty limited though.

Hope that's useful!

Pierre

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmB7D2MYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31U2G4H/j0QLZQfEcpBkeJEPscDQWVA
Ybyn2VV6g0PGjFIn/CzdpeeGl/S5NSr7uUP9WCLXMZXnz8LQg/FMvrd4qGsxn3fq
KGLVcEh+W0v/n6kK3pTAEjEu50yedcncdBj79FW9SgCF69D71wb66/VJM7AjKe2f
MRDpdb7BCpdFGJElE4xvTdt/2a9zEoWQKL2MDl1WYOCNrkdw+q90/t4rAa54LnGE
BWW5y7F4PpfFx1uAGwWxSD4Ihdnb1fzj2LCi3Mp+JA5e2Sp8j1b1R+KoQYF3ouMu
2Ih0StYwfGw3o7D9rYlwEfMRzwJDTvZoFllS0gb/3DSDYIjSwtxhdCds79Kl188=
=NoEX
-----END PGP SIGNATURE-----
--=-=-=--