From: Pierre Langlois <pierre.langlois@gmx.com>
To: 47136@debbugs.gnu.org
Cc: Pierre Langlois <pierre.langlois@gmx.com>
Subject: [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
Date: Sun, 14 Mar 2021 13:15:43 +0000 [thread overview]
Message-ID: <20210314131543.9310-3-pierre.langlois@gmx.com> (raw)
In-Reply-To: <20210314131543.9310-1-pierre.langlois@gmx.com>
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}. This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them. It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option. For example:
+
+@lisp
+(define %authentication-hook
+ (program-file "authentication-hook"
+ #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+ (token (getenv "CERTBOT_TOKEN")))
+ (format #t "Hey, can you authenticate ~a with ~a for me?"
+ domain token))))
+
+(define %cleanup-hook
+ (program-file "authentication-hook"
+ #~(display "Bye")
+
+(service certbot-service-type
+ (certbot-configuration
+ (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+ (certificates
+ (list
+ (certificate-configuration
+ (dry-run? #t)
+ (authentication-hook %authentication-hook)
+ (cleanup-hook %cleanup-hook)
+ (domains '("example.net" "www.example.net")))))))
+@end lisp
+
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
(cleanup-hook certificate-cleanup-hook
(default #f))
(deploy-hook certificate-configuration-deploy-hook
+ (default #f))
+ (dry-run? certbot-configuration-dry-run?
(default #f)))
(define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
- deploy-hook)
+ deploy-hook dry-run?)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -114,7 +116,8 @@
`("--manual-auth-hook" ,authentication-hook)
'())
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run")))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"--webroot" "-w" webroot
@@ -125,7 +128,8 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run") '()))))))
certificates)))
(program-file
"certbot-command"
--
2.30.2
next prev parent reply other threads:[~2021-03-14 13:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-14 13:08 [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
2021-03-14 13:15 ` Pierre Langlois [this message]
2021-04-17 16:51 ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
2021-04-17 17:38 ` Leo Famulari
2021-04-17 18:05 ` Pierre Langlois
2021-03-14 13:22 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210314131543.9310-3-pierre.langlois@gmx.com \
--to=pierre.langlois@gmx.com \
--cc=47136@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.