unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* Certbot with DNS Challenge
@ 2021-04-17 10:14 Raghav Gururajan
  2021-04-17 10:25 ` Pierre Langlois
  0 siblings, 1 reply; 7+ messages in thread
From: Raghav Gururajan @ 2021-04-17 10:14 UTC (permalink / raw)
  To: help-guix


[-- Attachment #1.1.1: Type: text/plain, Size: 167 bytes --]

Hello Guix!

For certbot-service-type, the manual has an example for HTTP challenge. 
I was wondering if anyone has an example for DNS challenge?

Regards,
RG.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2649 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Certbot with DNS Challenge
  2021-04-17 10:14 Certbot with DNS Challenge Raghav Gururajan
@ 2021-04-17 10:25 ` Pierre Langlois
  2021-04-17 10:35   ` Vincent Legoll
  2021-04-17 12:27   ` Raghav Gururajan
  0 siblings, 2 replies; 7+ messages in thread
From: Pierre Langlois @ 2021-04-17 10:25 UTC (permalink / raw)
  To: Raghav Gururajan; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]

Hi Raghav,

Raghav Gururajan writes:

> Hello Guix!
>
> For certbot-service-type, the manual has an example for HTTP challenge. I was
> wondering if anyone has an example for DNS challenge?

It just happens I set it up on my LAN a month ago, it worked really
well!  I'm using gandi as the provider and I've got a config like this
that creates a wildcard certificate that can be used for any services on
the LAN (I use it for nginx with cgit, and a locap IMAP server).

--8<---------------cut here---------------start------------->8---
(define certbot-authentication-hook
  (program-file "certbot-authentication-hook"
    (with-imported-modules '((guix build utils))
      #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
              (validation (getenv "CERTBOT_VALIDATION")))
          (use-modules ((guix build utils)))
          (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
          (invoke gandi "dns" "create" "example.com" "_acme-challenge" "TXT" validation)))))

(define certbot-cleanup-hook
  (program-file "certbot-cleanup-hook"
    (with-imported-modules '((guix build utils))
      #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
          (use-modules ((guix build utils)))
          (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
          (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT")))))

(...)

(service certbot-service-type
  (certbot-configuration
    (email "me@example.com")
    (certificates
      (list
        (certificate-configuration
          (domains '("*.example.com"))
          (challenge "dns")
          (authentication-hook certbot-authentication-hook)
          (cleanup-hook certbot-cleanup-hook))))))
--8<---------------cut here---------------end--------------->8---

I did need to store a secret API key on the file system in
/etc/gandi/config.yaml.

As a tip, when working on this it was very useful to be able to pass the
--dry-run option to certbot, and use development acme server
temporarily. Otherwise if you do too many attempts on the regular server
you eventually get blocked because of limit rates. But if you use the
dev server, then you have to use --dry-run as well.

I've actually got patches up for the dry-run flag if you need them:
https://issues.guix.gnu.org/47136. Let me know if you test them or/and
have any feedback!

Thanks,
Pierre

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Certbot with DNS Challenge
  2021-04-17 10:25 ` Pierre Langlois
@ 2021-04-17 10:35   ` Vincent Legoll
  2021-04-17 16:48     ` Pierre Langlois
  2021-04-17 12:27   ` Raghav Gururajan
  1 sibling, 1 reply; 7+ messages in thread
From: Vincent Legoll @ 2021-04-17 10:35 UTC (permalink / raw)
  To: Pierre Langlois; +Cc: Raghav Gururajan, help-guix

Hello,

> [SNIPPED NICE STUFF]

I think that would make a nice addition to the cookbook

Anyone want to try submitting a PR for that ?

-- 
Vincent Legoll


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Certbot with DNS Challenge
  2021-04-17 10:25 ` Pierre Langlois
  2021-04-17 10:35   ` Vincent Legoll
@ 2021-04-17 12:27   ` Raghav Gururajan
  2021-04-17 16:40     ` Pierre Langlois
  1 sibling, 1 reply; 7+ messages in thread
From: Raghav Gururajan @ 2021-04-17 12:27 UTC (permalink / raw)
  To: Pierre Langlois; +Cc: help-guix


[-- Attachment #1.1.1: Type: text/plain, Size: 2413 bytes --]

Hi Pierre!

> --8<---------------cut here---------------start------------->8---
> (define certbot-authentication-hook
>    (program-file "certbot-authentication-hook"
>      (with-imported-modules '((guix build utils))
>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
>                (validation (getenv "CERTBOT_VALIDATION")))
>            (use-modules ((guix build utils)))
>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>            (invoke gandi "dns" "create" "example.com" "_acme-challenge" 
"TXT" validation)))))
> 
> (define certbot-cleanup-hook
>    (program-file "certbot-cleanup-hook"
>      (with-imported-modules '((guix build utils))
>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
>            (use-modules ((guix build utils)))
>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>            (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT")))))
> 
> (...)
> 
> (service certbot-service-type
>    (certbot-configuration
>      (email "me@example.com")
>      (certificates
>        (list
>          (certificate-configuration
>            (domains '("*.example.com"))
>            (challenge "dns")
>            (authentication-hook certbot-authentication-hook)
>            (cleanup-hook certbot-cleanup-hook))))))
> --8<---------------cut here---------------end--------------->8---

Thank you so much! I appreciate it.

I am using deSEC (https://desec.io) and have their hook.sh 
(https://github.com/desec-io/desec-certbot-hook) stored as 
"/etc/desec/hook.sh" on my system.

So, in your snippet, I should replace certbot-*-hook with 
"/etc/desec/hook.sh", right?

Also, does using "*.example.com" means that the generated cert can be 
used both for apex/naked domain and any of the subdomains?

> As a tip, when working on this it was very useful to be able to pass the
> --dry-run option to certbot, and use development acme server
> temporarily. Otherwise if you do too many attempts on the regular server
> you eventually get blocked because of limit rates. But if you use the
> dev server, then you have to use --dry-run as well.
> 
> I've actually got patches up for the dry-run flag if you need them:
> https://issues.guix.gnu.org/47136. Let me know if you test them or/and
> have any feedback!

Sure, I'll give it a try.

Regards,
RG.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2649 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Certbot with DNS Challenge
  2021-04-17 12:27   ` Raghav Gururajan
@ 2021-04-17 16:40     ` Pierre Langlois
  2021-04-17 16:53       ` Raghav Gururajan
  0 siblings, 1 reply; 7+ messages in thread
From: Pierre Langlois @ 2021-04-17 16:40 UTC (permalink / raw)
  To: Raghav Gururajan; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 3194 bytes --]


Raghav Gururajan writes:

> Hi Pierre!
>
>> --8<---------------cut here---------------start------------->8---
>> (define certbot-authentication-hook
>>    (program-file "certbot-authentication-hook"
>>      (with-imported-modules '((guix build utils))
>>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
>>                (validation (getenv "CERTBOT_VALIDATION")))
>>            (use-modules ((guix build utils)))
>>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>>            (invoke gandi "dns" "create" "example.com" "_acme-challenge" 
> "TXT" validation)))))
>> (define certbot-cleanup-hook
>>    (program-file "certbot-cleanup-hook"
>>      (with-imported-modules '((guix build utils))
>>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
>>            (use-modules ((guix build utils)))
>>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>>            (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT")))))
>> (...)
>> (service certbot-service-type
>>    (certbot-configuration
>>      (email "me@example.com")
>>      (certificates
>>        (list
>>          (certificate-configuration
>>            (domains '("*.example.com"))
>>            (challenge "dns")
>>            (authentication-hook certbot-authentication-hook)
>>            (cleanup-hook certbot-cleanup-hook))))))
>> --8<---------------cut here---------------end--------------->8---
>
> Thank you so much! I appreciate it.
>
> I am using deSEC (https://desec.io) and have their hook.sh
> (https://github.com/desec-io/desec-certbot-hook) stored as 
> "/etc/desec/hook.sh" on my system.
>
> So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh",
> right?

Is the "hook.sh" script copied directly from the desec-certbot-hook
package? In which case, I think you'll want to use `file-append` to
directly refer to the package's script, something like this?

--8<---------------cut here---------------start------------->8---
(authentication-hook (file-append desec-certbot-hook "/etc/hook.sh")
(cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh")
--8<---------------cut here---------------end--------------->8---

If you look at the Gexp part of the manual, there's more info on what's
available to build those procedures:
https://guix.gnu.org/manual/en/guix.html#G_002dExpressions

That's off the top of my head!

>
> Also, does using "*.example.com" means that the generated cert can be used both
> for apex/naked domain and any of the subdomains?

I /believe/ so yeah, it's a wildcard certificate
(https://en.wikipedia.org/wiki/Wildcard_certificate) so that should
work. That's what I use personally so that I can use a certificate for
subdomains that only exist in the local network, that way the subdomain
names don't "leak" publicly. The drawback being I only get a single
certificate for multiple things.

I suppose if you're setting up public facing services with subdomains,
you're probably better off with different certificates for each. My
knownledge of DNS stuff is pretty limited though.

Hope that's useful!

Pierre

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Certbot with DNS Challenge
  2021-04-17 10:35   ` Vincent Legoll
@ 2021-04-17 16:48     ` Pierre Langlois
  0 siblings, 0 replies; 7+ messages in thread
From: Pierre Langlois @ 2021-04-17 16:48 UTC (permalink / raw)
  To: Vincent Legoll; +Cc: Raghav Gururajan, help-guix

[-- Attachment #1: Type: text/plain, Size: 442 bytes --]

Hi Vincent,

Vincent Legoll writes:

> Hello,
>
>> [SNIPPED NICE STUFF]
>
> I think that would make a nice addition to the cookbook
>
> Anyone want to try submitting a PR for that ?

That's a good idea, I can give it a go. Before that it would be useful
to merge support for the --dry-run option in the certbot service, an
entry in the cookbook should probably recommend using it while debugging
the auth&cleanup procedures.

Thanks,
Pierre


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Certbot with DNS Challenge
  2021-04-17 16:40     ` Pierre Langlois
@ 2021-04-17 16:53       ` Raghav Gururajan
  0 siblings, 0 replies; 7+ messages in thread
From: Raghav Gururajan @ 2021-04-17 16:53 UTC (permalink / raw)
  To: Pierre Langlois; +Cc: help-guix


[-- Attachment #1.1.1: Type: text/plain, Size: 1262 bytes --]

Hi Pierre!

>> So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh",
>> right?
> 
> Is the "hook.sh" script copied directly from the desec-certbot-hook
> package? In which case, I think you'll want to use `file-append` to
> directly refer to the package's script, something like this?
> 
> --8<---------------cut here---------------start------------->8---
> (authentication-hook (file-append desec-certbot-hook "/etc/hook.sh")
> (cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh")
> --8<---------------cut here---------------end--------------->8---

The package is not in Guix yet (#47840). For now, manually downloaded 
the script and placed it in /etc/desec.

I tried the following and it worked,

(service certbot-service-type
   (certbot-configuration
     (email "admin@raghavgururajan.name")
     (certificates
       (list
         (certificate-configuration
           (domains '("raghavgururajan.name" "*.raghavgururajan.name"))
           (challenge "dns")
           (authentication-hook "/etc/desec/hook.sh")
           (cleanup-hook "/etc/desec/hook.sh"))))))

I was wondering how to generate certs with custom CSR, provided by some 
hosting-providers. Any ideas?

Regards,
RG.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2649 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-04-17 17:06 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-17 10:14 Certbot with DNS Challenge Raghav Gururajan
2021-04-17 10:25 ` Pierre Langlois
2021-04-17 10:35   ` Vincent Legoll
2021-04-17 16:48     ` Pierre Langlois
2021-04-17 12:27   ` Raghav Gururajan
2021-04-17 16:40     ` Pierre Langlois
2021-04-17 16:53       ` Raghav Gururajan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).