From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id OOrRMwEVqWV3wwAAe85BDQ:P1 (envelope-from ) for ; Thu, 18 Jan 2024 13:09:38 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id OOrRMwEVqWV3wwAAe85BDQ (envelope-from ) for ; Thu, 18 Jan 2024 13:09:37 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=posteo.org header.s=2017 header.b=HKXfURcr; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (strict)" header.from=posteo.org (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1705579777; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=OXhCYgeTCYEClyuUQPTKC7T1/pyFKyVeEEkF+2KJsaY=; b=BaRbG0tJPOZTJ0o6e3cVFnWx9xbEFW06NwhEMUg71Voqf6BOWcUXKVdJII3pYXPA+N/OO/ C57NFxsDQcUpyp41QcvELdnjTtwVurIHbSUnIbVX9lJCXB5RKzULtW0C3MKqoK6lfOQ+2w v/BFiTnD1b4As/gK3vvdH4tT/qaZCrWFZLhO3ZOU0qVjRayIT5viLqg3kBq6pf2KKdTMqi XAJt62XrPkQh9Iijhi/xsYGzoV4OxQfXRfLWe0Ko0oMlWtPHEIKmgSF0GaKV4skqS2Xnjl 9gK7RTbT6aKG7jFCgRgTzxydLzItNNZiK45UFFm0Gkcc4tOLrKmH1dV2/YQmjQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=posteo.org header.s=2017 header.b=HKXfURcr; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (strict)" header.from=posteo.org (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1705579777; a=rsa-sha256; cv=none; b=Z0ViaDOBGJuO1nQ7CvxA+ReQKXTshYYoYu+B6PA6Jg5DMvvEVKm3gutpmKrtrijh2yGpDt Vxr6pPMFdaXlMwma1v8RMMjDaIaMPBQ+sV7iSMadD5Znc6lV/x7hN1VCOvarT4kgjpieO/ y4AigHgvhY6c4oRth3Hn3Zt+iJrh53rvz7D955kcs4qpEcxdcgykDA49LugtnVG5bJqh5O WDktHgxb5P8BnXdaXOu2Bnw/QYIsbC1q+6IlG6bvJpPJ4FPkcxseWmKr2DIndykbQxlkh6 AjuXScRY9xQkBnUAYqjQlSC+6Dw+neNHL7F0vvsabMEnvFLUCelShwR/GwjLOA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 771A95E787 for ; Thu, 18 Jan 2024 13:09:37 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rQRD4-0005Du-KH; Thu, 18 Jan 2024 07:09:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rQRCn-0005Ad-SD for help-guix@gnu.org; Thu, 18 Jan 2024 07:09:14 -0500 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rQRCl-0005JK-2b for help-guix@gnu.org; Thu, 18 Jan 2024 07:09:09 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 1EA7A240027 for ; Thu, 18 Jan 2024 13:09:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.org; s=2017; t=1705579743; bh=zFje4RSpdiHTUAvAE1yhj0f5Wmu+edSln8tlJmnqDbo=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:From; b=HKXfURcr7S7TEQ43RQA7mhk7uvlCqGtqxcVQLEqbxxybbaF27UkiqLaoyt9/6p0sU UxNwgBeThAllP8B4m8NrW2f7aVqZ5uMa9hzgk6XbmJMNW+i7A3c5WZCvUf9oZJllqO 3rNs3Xy8Glwfj3H1Nvp9F9xVt3mtuGRm3NuqW8lbCBj8NaMyMLcAuYaOHdq7XNTJlq KsZW/IHxascqmZdbZTW3dJ//emn/1TSoMaclsBKKaMxJoadc4NwRBzd2rSZAdaSGZQ ISltcmKDlEDRvs/eRDUEA9Mk73385vSRdlwLMtvFU7/xOGXVidw5sdYmIVfnaB0ej9 Av6jIgGzi6PCw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4TG1kQ4ydPz9rxN for ; Thu, 18 Jan 2024 13:09:02 +0100 (CET) Date: Thu, 18 Jan 2024 12:09:01 +0000 (+00:00) From: =?UTF-8?Q?Mois=C3=A9s_Sim=C3=B3n?= To: help-guix@gnu.org Message-ID: <611bf86f-52c8-424c-8463-92dc6f0fb5a2@posteo.org> Subject: Certbot override trusted CA when using custom server MIME-Version: 1.0 X-Correlation-ID: <611bf86f-52c8-424c-8463-92dc6f0fb5a2@posteo.org> Received-SPF: pass client-ip=185.67.36.65; envelope-from=msv@posteo.org; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 3.64 X-Migadu-Queue-Id: 771A95E787 X-Spam-Score: 3.64 X-Migadu-Scanner: mx11.migadu.com X-TUID: qWXxVSnsWVrJ Hi guix, I'm running my own internal Lets Encrypt server. The problem is certbot service even if it offers to change the server it do= es not specify any option to use REQUEST_CA_BUNDLE or skip ssl verificatiin= (--no-verify-ssl certbot option)=C2=A0 you can see more of the feature her= e: https://github.com/certbot/certbot/pull/9357 I have my own CA installed in /etc/ssl/certs thanks to a private pkg. Still= certbot is using urllib2 or something like that an it does not use the sys= tem certificTe store (Ubuntu suffers the same problem) so the question is how can I extend certbot in my own system config to add the --ni-verify-ssl= option (without the need to copy all certbot.scm)? better yet, how can I use the env variable REQUEST_CA_BUNDLE? I will probably add a patch to specify the --no-verify-ssl but right now I = would also like to know if I can extend a service "on the fly"