Hi Pierre!

> --8<---------------cut here---------------start------------->8---
> (define certbot-authentication-hook
>    (program-file "certbot-authentication-hook"
>      (with-imported-modules '((guix build utils))
>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
>                (validation (getenv "CERTBOT_VALIDATION")))
>            (use-modules ((guix build utils)))
>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>            (invoke gandi "dns" "create" "example.com" "_acme-challenge" 
"TXT" validation)))))
> 
> (define certbot-cleanup-hook
>    (program-file "certbot-cleanup-hook"
>      (with-imported-modules '((guix build utils))
>        #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
>            (use-modules ((guix build utils)))
>            (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
>            (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" "TXT")))))
> 
> (...)
> 
> (service certbot-service-type
>    (certbot-configuration
>      (email "me@example.com")
>      (certificates
>        (list
>          (certificate-configuration
>            (domains '("*.example.com"))
>            (challenge "dns")
>            (authentication-hook certbot-authentication-hook)
>            (cleanup-hook certbot-cleanup-hook))))))
> --8<---------------cut here---------------end--------------->8---

Thank you so much! I appreciate it.

I am using deSEC (https://desec.io) and have their hook.sh 
(https://github.com/desec-io/desec-certbot-hook) stored as 
"/etc/desec/hook.sh" on my system.

So, in your snippet, I should replace certbot-*-hook with 
"/etc/desec/hook.sh", right?

Also, does using "*.example.com" means that the generated cert can be 
used both for apex/naked domain and any of the subdomains?

> As a tip, when working on this it was very useful to be able to pass the
> --dry-run option to certbot, and use development acme server
> temporarily. Otherwise if you do too many attempts on the regular server
> you eventually get blocked because of limit rates. But if you use the
> dev server, then you have to use --dry-run as well.
> 
> I've actually got patches up for the dry-run flag if you need them:
> https://issues.guix.gnu.org/47136. Let me know if you test them or/and
> have any feedback!

Sure, I'll give it a try.

Regards,
RG.