From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +E/SF+sMTmBBLwAA0tVLHw (envelope-from ) for ; Sun, 14 Mar 2021 13:17:31 +0000 Received: from aspmx2.migadu.com ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MHWIE+sMTmA6LgAAbx9fmQ (envelope-from ) for ; Sun, 14 Mar 2021 13:17:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx2.migadu.com (Postfix) with ESMTPS id ED44310675 for ; Sun, 14 Mar 2021 14:17:30 +0100 (CET) Received: from localhost ([::1]:58438 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLQcc-00035r-4z for larch@yhetil.org; Sun, 14 Mar 2021 09:17:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37872) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLQcA-00034V-Ky for guix-patches@gnu.org; Sun, 14 Mar 2021 09:17:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49790) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lLQcA-0003Sa-Dg for guix-patches@gnu.org; Sun, 14 Mar 2021 09:17:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lLQcA-0004Pe-9x for guix-patches@gnu.org; Sun, 14 Mar 2021 09:17:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option. Resent-From: Pierre Langlois Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 14 Mar 2021 13:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47136 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47136@debbugs.gnu.org Cc: Pierre Langlois Received: via spool by 47136-submit@debbugs.gnu.org id=B47136.161572777616898 (code B ref 47136); Sun, 14 Mar 2021 13:17:02 +0000 Received: (at 47136) by debbugs.gnu.org; 14 Mar 2021 13:16:16 +0000 Received: from localhost ([127.0.0.1]:33102 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLQbQ-0004OU-BP for submit@debbugs.gnu.org; Sun, 14 Mar 2021 09:16:16 -0400 Received: from mout.gmx.net ([212.227.15.19]:32863) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLQbM-0004O1-0G for 47136@debbugs.gnu.org; Sun, 14 Mar 2021 09:16:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1615727766; bh=EU6xYOaISSXdlHQLjTsubW5kWM1pju6Ko0rkIcCY5Hw=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=YT3pQ22xv4uWp4WXxZ68Z/UgNdmmofcghQZWRyXgWIMuS6pukQolnvp2LMdCFSZfE GzVwhpt8w77j9sgC1B/biH/xu9e4Zxuczz6XutAJPN0jzqrI/0FNI6/RTm4rQGztPR O9SebaEWPRGOh6waViJte0nbwu/v8L8oWFTlAPeA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([82.69.64.142]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N79yQ-1lnAfC0zGe-017WaR; Sun, 14 Mar 2021 14:16:06 +0100 From: Pierre Langlois Date: Sun, 14 Mar 2021 13:15:43 +0000 Message-Id: <20210314131543.9310-3-pierre.langlois@gmx.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210314131543.9310-1-pierre.langlois@gmx.com> References: <87k0q9c28e.fsf@gmx.com> <20210314131543.9310-1-pierre.langlois@gmx.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:SphTZ69P723XQ5eUVpIaKqoXjNt33oC6Ovx0cK12l4BPipz5INJ BcIy073LIJVbfUKy9gsU78En03inA2tlTkfbwQVJMyT98a24g42svlchBgDcirdVx0PrKX3 xOGr7JrxSATsu/TGh3QSnxanJLlxZH5JyRfqI6dORFI4mVgDaPk6sqORYuWhPrZfHMJpaGb OEYXs/yGGpCavI7Hi4C9g== X-UI-Out-Filterresults: notjunk:1;V03:K0:CJfL0eMpY3M=:BUVjLBnTjun28let1p7L+9 3MXvYqwYSQUCWFfBn286CUljSVta6tlxcXn93PfDp/iH/JukasiLoQxM0ht5N2o6gydbmmKbU 9naK3Dwuz1acuEeAxOXkwS5x9tWxJ9x6gGP385F5rCdS0lm9NVkXIbu3oWAoDOYIiIoATAR8O oMkVgTegp8rnp8p3YtqY56wYPxe5dNwlFHlHq09vb9riM/U/zSMxBNeDatBs92zw+ZygaffsD utKm6NeqchH/Wf5HmhYOSoHHxsPqQOJ8Ux7DC5REUG7V6UryB82AW4Xf4Qdo/q9hdU5YgRMsh zbX7O7kUVGdCAo81/XF7ZeJfLJE4Jtu6zXSSfiWSSg+ilklpATgGTWBmp9IxwUHfuRib4HEaB tzq+xNWjymh0ZzBNr1fBScQAnEeYCuzVBbeuDbbxwm/u4fHk269s3mC/b+qXrNP2ZoR9fV7hF WeKmdz46uERtwR5ShWV1iVMfBTClLI69Hz6r0CmDHkIp7l9gH10R59YIy34GUMLTQ7/97WXmP xLJpkCmxyPVEOrF3bpCazJOcy/ju+7BGFpvxK4xn4SEn6/W4Aw86Rm4ZUl3uOiUX9kzy4/KkU nufdGOir6F0ZmUgRvm7Tk+DHAkNq8yGllwqZJDFoOonLXtnNHzm4211UKMV8gFiIhssN6a3Lq J1lwORpEOdHMSGqWZKncgFTKlGglHAGmJjuCu6lRKvd5+a8+DjCcbb7nqMcrxKnbLGw5ewZtb I4DvGvF16rUvAgRzQ4mEITyLT2Vy4ug9Yql/OmzJ/WJaE5bDdXxBMQ6aJJcApq7s04Vv+mEsr LFX38mFT+fOjnBRSKG3UIm9hTAbaiuTDUusiY8O5lWcRsFrxQj+awO6RBwS9/oByFEaHIrt8p 52ZxaoYU0RlLdPHmNNGA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615727851; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=RvF47rAV8m7E9YXAnMbKwWMHUKzba3Y73LbPdrSFRZo=; b=Glx+fTRU+ukdNukay9xaGovMfnLgUSwWzcNInvK4nB5iMKG/5bgkwnuzk+1oG7xM7Zwww8 DwxhcWHWwGPqIL8J0XX4SzRKgn8QQqgY1NST09AG60azX0m3wxMk4oDDPwgUWfv7SFNVRV esHEyL0EWlV1+MsBckcaRRzrirDb4gZeTy/n13m8N0bWsqv3h/jVpyFAp6Vz8LANbXXgIW pRGYMoWt00vzMJ/nOIpcIvYOjBuIR++ZXnE4gs25dbPJ5WJH4VH31lGTjAYRcSjKRJ77HX mQezdpRGsDXl/wBTdkt0AKXcydk3PRl0/iYKKPQozSCq4kF+wBWpxZQJGcjCtg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615727851; a=rsa-sha256; cv=none; b=HNwu4glKm6DnrMaVC/phzXNWm3mqX/16cYeKdrocDnb2YY5fhhz1wOpjn1MTeApyAX4CB5 Fqo0aK+Wn/5yMxkG9uQlBwtEJZMNtftflgYuY2e0NnJmedF6dCjAPtsz775QCIBNhY6G1P EvxPvRQI/NdwVjeNC9yEk/h7R4krbWQBY+m3Je2iq/cAe7jNnK9ti/+Il1VdsK06uh/pOs ozi5yTRejrSBZY7xsg3vfTPSnn8ornYwDxtwlSfXrYEXrlTMO1FMiJ8olWKGruMwobJzEQ IuqU0pr9EbrAdn4cWg2bvcwnf9T6WIkRKBxs2zOUUhEKtdIvMdcvIlaucPiFhA== ARC-Authentication-Results: i=1; aspmx2.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b=YT3pQ22x; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx2.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 3.70 Authentication-Results: aspmx2.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b=YT3pQ22x; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx2.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: ED44310675 X-Spam-Score: 3.70 X-Migadu-Scanner: scn0.migadu.com X-TUID: nu87hZ+QotyL * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field= . (certbot-command): Use it to pass --dry-run to certbot. * doc/guix.texi (Certificate Services): Document dry-run? option. =2D-- doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++ gnu/services/certbot.scm | 10 +++++++--- 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index ec449b1772..322c717941 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$= RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{dry-run?} (default: @code{#f}) +Communitcate with the ACME server but do not update certificates nor +trigger @code{deploy-hook}. This is useful as a temporary setting to +test the challenge procedure, especially the @code{authentication-hook} +and @code{cleanup-hook} while working on them. It's also a good idea to +use Let's Encrypt's staging server at +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while +testing, which allows for higher rate limits, but with which +@code{certbot} will helpfully refuse to update certificates and +recommend the @code{dry-run?} option. For example: + +@lisp +(define %authentication-hook + (program-file "authentication-hook" + #~(let ((domain (getenv "CERTBOT_DOMAIN")) + (token (getenv "CERTBOT_TOKEN"))) + (format #t "Hey, can you authenticate ~a with ~a for me?" + domain token)))) + +(define %cleanup-hook + (program-file "authentication-hook" + #~(display "Bye") + +(service certbot-service-type + (certbot-configuration + (server "https://acme-staging-v02.api.letsencrypt.org/directory= ") + (certificates + (list + (certificate-configuration + (dry-run? #t) + (authentication-hook %authentication-hook) + (cleanup-hook %cleanup-hook) + (domains '("example.net" "www.example.net"))))))) +@end lisp + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 1cea68fc2a..15274cf0ed 100644 =2D-- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -61,6 +61,8 @@ (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook + (default #f)) + (dry-run? certbot-configuration-dry-run? (default #f))) (define-record-type* @@ -96,7 +98,7 @@ (match-lambda (($ custom-name domains chall= enge authentication-hook clean= up-hook - deploy-hook) + deploy-hook dry-run?) (let ((name (or custom-name (car domains)))) (if challenge (append @@ -114,7 +116,8 @@ `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup= -hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()= )) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()= ) + (if dry-run? '("--dry-run"))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -125,7 +128,8 @@ '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) = '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()= )))))) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()= ) + (if dry-run? '("--dry-run") '())))))) certificates))) (program-file "certbot-command" =2D- 2.30.2