[-- Attachment #1.1.1: Type: text/plain, Size: 167 bytes --] Hello Guix! For certbot-service-type, the manual has an example for HTTP challenge. I was wondering if anyone has an example for DNS challenge? Regards, RG. [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 2649 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --]
[-- Attachment #1: Type: text/plain, Size: 2352 bytes --] Hi Raghav, Raghav Gururajan writes: > Hello Guix! > > For certbot-service-type, the manual has an example for HTTP challenge. I was > wondering if anyone has an example for DNS challenge? It just happens I set it up on my LAN a month ago, it worked really well! I'm using gandi as the provider and I've got a config like this that creates a wildcard certificate that can be used for any services on the LAN (I use it for nginx with cgit, and a locap IMAP server). --8<---------------cut here---------------start------------->8--- (define certbot-authentication-hook (program-file "certbot-authentication-hook" (with-imported-modules '((guix build utils)) #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")) (validation (getenv "CERTBOT_VALIDATION"))) (use-modules ((guix build utils))) (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") (invoke gandi "dns" "create" "example.com" "_acme-challenge" "TXT" validation))))) (define certbot-cleanup-hook (program-file "certbot-cleanup-hook" (with-imported-modules '((guix build utils)) #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))) (use-modules ((guix build utils))) (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT"))))) (...) (service certbot-service-type (certbot-configuration (email "me@example.com") (certificates (list (certificate-configuration (domains '("*.example.com")) (challenge "dns") (authentication-hook certbot-authentication-hook) (cleanup-hook certbot-cleanup-hook)))))) --8<---------------cut here---------------end--------------->8--- I did need to store a secret API key on the file system in /etc/gandi/config.yaml. As a tip, when working on this it was very useful to be able to pass the --dry-run option to certbot, and use development acme server temporarily. Otherwise if you do too many attempts on the regular server you eventually get blocked because of limit rates. But if you use the dev server, then you have to use --dry-run as well. I've actually got patches up for the dry-run flag if you need them: https://issues.guix.gnu.org/47136. Let me know if you test them or/and have any feedback! Thanks, Pierre [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]
Hello,
> [SNIPPED NICE STUFF]
I think that would make a nice addition to the cookbook
Anyone want to try submitting a PR for that ?
--
Vincent Legoll
[-- Attachment #1.1.1: Type: text/plain, Size: 2413 bytes --] Hi Pierre! > --8<---------------cut here---------------start------------->8--- > (define certbot-authentication-hook > (program-file "certbot-authentication-hook" > (with-imported-modules '((guix build utils)) > #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")) > (validation (getenv "CERTBOT_VALIDATION"))) > (use-modules ((guix build utils))) > (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") > (invoke gandi "dns" "create" "example.com" "_acme-challenge" "TXT" validation))))) > > (define certbot-cleanup-hook > (program-file "certbot-cleanup-hook" > (with-imported-modules '((guix build utils)) > #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))) > (use-modules ((guix build utils))) > (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") > (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT"))))) > > (...) > > (service certbot-service-type > (certbot-configuration > (email "me@example.com") > (certificates > (list > (certificate-configuration > (domains '("*.example.com")) > (challenge "dns") > (authentication-hook certbot-authentication-hook) > (cleanup-hook certbot-cleanup-hook)))))) > --8<---------------cut here---------------end--------------->8--- Thank you so much! I appreciate it. I am using deSEC (https://desec.io) and have their hook.sh (https://github.com/desec-io/desec-certbot-hook) stored as "/etc/desec/hook.sh" on my system. So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh", right? Also, does using "*.example.com" means that the generated cert can be used both for apex/naked domain and any of the subdomains? > As a tip, when working on this it was very useful to be able to pass the > --dry-run option to certbot, and use development acme server > temporarily. Otherwise if you do too many attempts on the regular server > you eventually get blocked because of limit rates. But if you use the > dev server, then you have to use --dry-run as well. > > I've actually got patches up for the dry-run flag if you need them: > https://issues.guix.gnu.org/47136. Let me know if you test them or/and > have any feedback! Sure, I'll give it a try. Regards, RG. [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 2649 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --]
[-- Attachment #1: Type: text/plain, Size: 3194 bytes --] Raghav Gururajan writes: > Hi Pierre! > >> --8<---------------cut here---------------start------------->8--- >> (define certbot-authentication-hook >> (program-file "certbot-authentication-hook" >> (with-imported-modules '((guix build utils)) >> #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")) >> (validation (getenv "CERTBOT_VALIDATION"))) >> (use-modules ((guix build utils))) >> (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") >> (invoke gandi "dns" "create" "example.com" "_acme-challenge" > "TXT" validation))))) >> (define certbot-cleanup-hook >> (program-file "certbot-cleanup-hook" >> (with-imported-modules '((guix build utils)) >> #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))) >> (use-modules ((guix build utils))) >> (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") >> (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT"))))) >> (...) >> (service certbot-service-type >> (certbot-configuration >> (email "me@example.com") >> (certificates >> (list >> (certificate-configuration >> (domains '("*.example.com")) >> (challenge "dns") >> (authentication-hook certbot-authentication-hook) >> (cleanup-hook certbot-cleanup-hook)))))) >> --8<---------------cut here---------------end--------------->8--- > > Thank you so much! I appreciate it. > > I am using deSEC (https://desec.io) and have their hook.sh > (https://github.com/desec-io/desec-certbot-hook) stored as > "/etc/desec/hook.sh" on my system. > > So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh", > right? Is the "hook.sh" script copied directly from the desec-certbot-hook package? In which case, I think you'll want to use `file-append` to directly refer to the package's script, something like this? --8<---------------cut here---------------start------------->8--- (authentication-hook (file-append desec-certbot-hook "/etc/hook.sh") (cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh") --8<---------------cut here---------------end--------------->8--- If you look at the Gexp part of the manual, there's more info on what's available to build those procedures: https://guix.gnu.org/manual/en/guix.html#G_002dExpressions That's off the top of my head! > > Also, does using "*.example.com" means that the generated cert can be used both > for apex/naked domain and any of the subdomains? I /believe/ so yeah, it's a wildcard certificate (https://en.wikipedia.org/wiki/Wildcard_certificate) so that should work. That's what I use personally so that I can use a certificate for subdomains that only exist in the local network, that way the subdomain names don't "leak" publicly. The drawback being I only get a single certificate for multiple things. I suppose if you're setting up public facing services with subdomains, you're probably better off with different certificates for each. My knownledge of DNS stuff is pretty limited though. Hope that's useful! Pierre [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]
[-- Attachment #1: Type: text/plain, Size: 442 bytes --] Hi Vincent, Vincent Legoll writes: > Hello, > >> [SNIPPED NICE STUFF] > > I think that would make a nice addition to the cookbook > > Anyone want to try submitting a PR for that ? That's a good idea, I can give it a go. Before that it would be useful to merge support for the --dry-run option in the certbot service, an entry in the cookbook should probably recommend using it while debugging the auth&cleanup procedures. Thanks, Pierre [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]
[-- Attachment #1.1.1: Type: text/plain, Size: 1262 bytes --] Hi Pierre! >> So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh", >> right? > > Is the "hook.sh" script copied directly from the desec-certbot-hook > package? In which case, I think you'll want to use `file-append` to > directly refer to the package's script, something like this? > > --8<---------------cut here---------------start------------->8--- > (authentication-hook (file-append desec-certbot-hook "/etc/hook.sh") > (cleanup-hook (file-append desec-certbot-hook "/etc/hook.sh") > --8<---------------cut here---------------end--------------->8--- The package is not in Guix yet (#47840). For now, manually downloaded the script and placed it in /etc/desec. I tried the following and it worked, (service certbot-service-type (certbot-configuration (email "admin@raghavgururajan.name") (certificates (list (certificate-configuration (domains '("raghavgururajan.name" "*.raghavgururajan.name")) (challenge "dns") (authentication-hook "/etc/desec/hook.sh") (cleanup-hook "/etc/desec/hook.sh")))))) I was wondering how to generate certs with custom CSR, provided by some hosting-providers. Any ideas? Regards, RG. [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 2649 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --]