From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ePiLElDUemDp9wAAgWs5BA (envelope-from ) for ; Sat, 17 Apr 2021 14:28:00 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id EDJIDFDUemB4LQAAB5/wlQ (envelope-from ) for ; Sat, 17 Apr 2021 12:28:00 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9C5AA1431F for ; Sat, 17 Apr 2021 14:27:59 +0200 (CEST) Received: from localhost ([::1]:53126 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXk3J-0001wk-OL for larch@yhetil.org; Sat, 17 Apr 2021 08:27:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47992) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXk39-0001wa-Vn for help-guix@gnu.org; Sat, 17 Apr 2021 08:27:47 -0400 Received: from out2.migadu.com ([2001:41d0:2:aacc::]:14706) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXk35-0005uU-2w for help-guix@gnu.org; Sat, 17 Apr 2021 08:27:47 -0400 To: Pierre Langlois DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raghavgururajan.name; s=key1; t=1618662456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZSyB933VTdb45Jj4V5LScJCLuP25GCrS8oti+5TAphk=; b=gQCJJ+rNiJgsCP6JLGUjl5Dc4U5AF7uZI9Nq8WFDzXLEwOYWNfQxbtZ6cYj2TkJpeP5TnC uh6jQDKLCqRmSPxWdyeiSYBSqmyQuuJ3f0QU3E4HYlyjsizCABj0K3m7hARTdtw6mtnfaw pS6D55YQQv7jF30BL0v0S+pjAHQuUMGIXSunpBUaSKcd8pAXZ1GgS0H7/FMFM+6t9mwMwq GEg6fQj9xgPQO2iMvKHRfXsdVe3mQ+GvyGFMV1qOtxxLo4LLV0Zf/Eo0l2hRhdMO8FEJ8o FdHWxg04ujHiCECZUnI6V/jlnxZbkT6PXTbc16yY6/iFYljuFSiukSjhiLb7Ww== Cc: help-guix@gnu.org References: <87tuo5mcln.fsf@gmx.com> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Raghav Gururajan Subject: Re: Certbot with DNS Challenge Message-ID: Date: Sat, 17 Apr 2021 08:27:34 -0400 MIME-Version: 1.0 In-Reply-To: <87tuo5mcln.fsf@gmx.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ajptc4SIEs3w7zVzqMRJpYmKvScNQhdCq" X-Migadu-Auth-User: rg@raghavgururajan.name Received-SPF: pass client-ip=2001:41d0:2:aacc::; envelope-from=rg@raghavgururajan.name; helo=out2.migadu.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618662479; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ZSyB933VTdb45Jj4V5LScJCLuP25GCrS8oti+5TAphk=; b=BXb6i2YrSEbBN4fSNj5dYpS7l1JuuTniXvn4g1y08tOu3zcnYjf8IilEwiayhWMVdiKgKo t00rdLco4rMGWrwwIePnFmw5NHT9+mo8/CbOc1Cv3deK1s7LkZfNezfZi+pQ93PmF6zlRJ QoumPIRml7seLfLhAqM7nOqeEqacxJ1xlnO7ekVJhkYqOcxmQVqXDECQA7LxAzV3i2UgzQ nizf7ZHEzOSYLZzQe/gZlx7vTPSTZP6JjzWzadfUWLI4rd/nsFs1aGCVd2i5w5jqhIgDv4 K3cIg7nqUbkUUTikSB4tctswUDncEa7/eHe4iGvY7sTCNfb4zxWbrh3aY6Uhcw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618662479; a=rsa-sha256; cv=none; b=W3QSZ2OngjQg7RKZ5Fqd+82TKlCicKNevQgORvk4qI9jr7P4AGpcf9PO21wvq9+8VGanDu DETkyOrIi2i44JNIi6bjiL8nBo9amE+IzVgz897baWSrl9A3l1iP11WiAhP4yozTR9jcbN scaxpHr8GqurFYxsMLyEI/3bG+hOskOEvGbbSpPfKpKtOLSnKVhBjqCOSlYOZtUZarPOHn m0y+Ly0qc2/Qs4xWRxJgpQ97olsPeMEUHB2HPCOn164O/Zi70cEY819wHmf1gpvWwESl/V 8eBlMDSs1EbQXsoBHKMLsbeuE3KE7X/UFkWKQDqFcx/D0pqILjkgnpDJ0hnyEw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=raghavgururajan.name header.s=key1 header.b=gQCJJ+rN; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.64 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=raghavgururajan.name header.s=key1 header.b=gQCJJ+rN; dmarc=pass (policy=quarantine) header.from=raghavgururajan.name; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 9C5AA1431F X-Spam-Score: -3.64 X-Migadu-Scanner: scn0.migadu.com X-TUID: rhHyfCNXUOdZ This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ajptc4SIEs3w7zVzqMRJpYmKvScNQhdCq Content-Type: multipart/mixed; boundary="s9nI2t3aJxIug4GKnTl4OofAjv6DJlHat"; protected-headers="v1" From: Raghav Gururajan To: Pierre Langlois Cc: help-guix@gnu.org Message-ID: Subject: Re: Certbot with DNS Challenge References: <87tuo5mcln.fsf@gmx.com> In-Reply-To: <87tuo5mcln.fsf@gmx.com> --s9nI2t3aJxIug4GKnTl4OofAjv6DJlHat Content-Type: multipart/mixed; boundary="------------CAE711C5458FC1F7156B514F" Content-Language: en-US This is a multi-part message in MIME format. --------------CAE711C5458FC1F7156B514F Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi Pierre! > --8<---------------cut here---------------start------------->8--- > (define certbot-authentication-hook > (program-file "certbot-authentication-hook" > (with-imported-modules '((guix build utils)) > #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")) > (validation (getenv "CERTBOT_VALIDATION"))) > (use-modules ((guix build utils))) > (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") > (invoke gandi "dns" "create" "example.com" "_acme-challenge"=20 "TXT" validation))))) >=20 > (define certbot-cleanup-hook > (program-file "certbot-cleanup-hook" > (with-imported-modules '((guix build utils)) > #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))) > (use-modules ((guix build utils))) > (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml") > (invoke gandi "dns" "delete" "--force" "example.com" "_acme-= challenge" "TXT"))))) >=20 > (...) >=20 > (service certbot-service-type > (certbot-configuration > (email "me@example.com") > (certificates > (list > (certificate-configuration > (domains '("*.example.com")) > (challenge "dns") > (authentication-hook certbot-authentication-hook) > (cleanup-hook certbot-cleanup-hook)))))) > --8<---------------cut here---------------end--------------->8--- Thank you so much! I appreciate it. I am using deSEC (https://desec.io) and have their hook.sh=20 (https://github.com/desec-io/desec-certbot-hook) stored as=20 "/etc/desec/hook.sh" on my system. So, in your snippet, I should replace certbot-*-hook with=20 "/etc/desec/hook.sh", right? Also, does using "*.example.com" means that the generated cert can be=20 used both for apex/naked domain and any of the subdomains? > As a tip, when working on this it was very useful to be able to pass th= e > --dry-run option to certbot, and use development acme server > temporarily. Otherwise if you do too many attempts on the regular serve= r > you eventually get blocked because of limit rates. But if you use the > dev server, then you have to use --dry-run as well. >=20 > I've actually got patches up for the dry-run flag if you need them: > https://issues.guix.gnu.org/47136. Let me know if you test them or/and > have any feedback! Sure, I'll give it a try. Regards, RG. --------------CAE711C5458FC1F7156B514F Content-Type: application/pgp-keys; name="OpenPGP_0x5F5816647F8BE551.asc" Content-Transfer-Encoding: quoted-printable Content-Description: OpenPGP public key Content-Disposition: attachment; filename="OpenPGP_0x5F5816647F8BE551.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEX2ZCJBYJKwYBBAHaRw8BAQdAdiUK33kml2dYjrWidlr4/v0pmjpUv7hOsBN/oSl5wx7NL= 1Jh Z2hhdiBHdXJ1cmFqYW4gKFJHKSA8cmdAcmFnaGF2Z3VydXJhamFuLm5hbWU+wpMEExYIADsCG= wMF CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCX28v0AIZA= QAK CRBfWBZkf4vlUQf2AQD63gsdJzk0w6Gy0AzpJtMa63mbVRAh4xfnxsRNu6SbGQD/UDytGjwnQ= 4nK YsGdoCcA7LM64EkknDvI3ZmlqG7Xuw/NPVJhZ2hhdiBHdXJ1cmFqYW4gKEVkdWNhdGlvbikgP= GVk dWNhdGlvbkByYWdoYXZndXJ1cmFqYW4ubmFtZT7CkAQTFggAOBYhBM0tXqqpjMs32pHWsF9YF= mR/ i+VRBQJgE0xGAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEF9YFmR/i+VRQcQBALNRe= 1V/ 5DKN8ZxyVQlzt4TdGUyNom7xJ6r23ANtcygxAQDBjw6NLXV3aYGDMVVmQPbdAnFiB/x1rpJsA= wB/ 1BSBDc05UmFnaGF2IEd1cnVyYWphbiAoRmluYW5jZSkgPGZpbmFuY2VAcmFnaGF2Z3VydXJha= mFu Lm5hbWU+wpAEExYIADgWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCYBNMbwIbAwULCQgHAgYVC= gkI CwIEFgIDAQIeAQIXgAAKCRBfWBZkf4vlUWnLAP914hb0IzSCiaj+XrcEBaIt/Q+KjRn2fj5A7= V6Z ucJJqwEA64eks7xjLBS3mpTpaGwdDtluJcR7G8XZJJdbdK2YyQ/NN1JhZ2hhdiBHdXJ1cmFqY= W4g KEhlYWx0aCkgPGhlYWx0aEByYWdoYXZndXJ1cmFqYW4ubmFtZT7CkAQTFggAOBYhBM0tXqqpj= Ms3 2pHWsF9YFmR/i+VRBQJgE0yhAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEF9YFmR/i= +VR xdcA/3YxFzlKKHrTguDxE1tBWD31BUYlXWl351j6MB/U+tWdAPwJB8QD8janaddv3U5ZGzswf= hQv GGzx6SLcX0E253uNC80/UmFnaGF2IEd1cnVyYWphbiAoT2NjdXBhdGlvbikgPG9jY3VwYXRpb= 25A cmFnaGF2Z3VydXJhamFuLm5hbWU+wpAEExYIADgWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCY= BNM ugIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBfWBZkf4vlUSrlAP0VJw8frvWHAGd6l= Zdy x1v+relUGB4DToqDgIMBQyG58gD+NU5t4h0IY6YaiQ+FPyJzdV62k15d9IDvTMYPvcWIpQPNP= 1Jh Z2hhdiBHdXJ1cmFqYW4gKFJlY3JlYXRpb24pIDxyZWNyZWF0aW9uQHJhZ2hhdmd1cnVyYWphb= i5u YW1lPsKQBBMWCAA4FiEEzS1eqqmMyzfakdawX1gWZH+L5VEFAmATTNkCGwMFCwkIBwIGFQoJC= AsC BBYCAwECHgECF4AACgkQX1gWZH+L5VHhbQD/b6jXWdQfxi+xzrs1+A0lvnihfUgQ0H/r5U2bO= w9d FIkA/0nCh0VJKX+YrySJhWugL7e8ItqwKADh0v05vO6qtlkAzTdSYWdoYXYgR3VydXJhamFuI= ChT b2NpYWwpIDxzb2NpYWxAcmFnaGF2Z3VydXJhamFuLm5hbWU+wpAEExYIADgWIQTNLV6qqYzLN= 9qR 1rBfWBZkf4vlUQUCYBNM8AIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBfWBZkf4vlU= dtv AQCKMxBdxwMUJdyigGWqrTuJUaLVL2dgvqGa0k39nsQA8gD+PH3LsQAaJ98xREKxYXMAszNnJ= RJR xYa9trfixyQbrw7NNVJhZ2hhdiBHdXJ1cmFqYW4gKFRyYWRlKSA8dHJhZGVAcmFnaGF2Z3Vyd= XJh amFuLm5hbWU+wpAEExYIADgWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCYBNNHQIbAwULCQgHA= gYV CgkICwIEFgIDAQIeAQIXgAAKCRBfWBZkf4vlUQ+9AP0S/6S5PLshS/vz7ezRO2HokruaRiDhg= w0t yRM3LAefSQEA7rEBw9sSUsDgRILGKUi1ZzQq5AJ0F77KOXyurVqnywXOOARfZkIkEgorBgEEA= ZdV AQUBAQdAZgiqc2NhH/myrCCan9x7gKI6QBPZ/1b+Bz/f3n95ozkDAQgHwngEGBYIACAWIQTNL= V6q qYzLN9qR1rBfWBZkf4vlUQUCX2ZCJAIbDAAKCRBfWBZkf4vlUV/OAQD+tMNgmddPSchLpaDPp= sdD hpvra2uTonNUmnfbTvPgpQD/dG72NCT8hBUVqtzxwQmBrXY/nPEUxctYuvu3unUmzQU=3D =3DMROf -----END PGP PUBLIC KEY BLOCK----- --------------CAE711C5458FC1F7156B514F-- --s9nI2t3aJxIug4GKnTl4OofAjv6DJlHat-- --ajptc4SIEs3w7zVzqMRJpYmKvScNQhdCq Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCYHrUNwUDAAAAAAAKCRBfWBZkf4vlUeP7 APsFleLbQtYm0znslgCq9wcWu6Nt6+iVb5XyRpjCh0UJhwEAnT1NhwojZ26069jfIdyTsUAoQpuc SZqi7ugEnKPnRwM= =LWBh -----END PGP SIGNATURE----- --ajptc4SIEs3w7zVzqMRJpYmKvScNQhdCq--