all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes.
@ 2021-03-14 13:08 Pierre Langlois
  2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
  0 siblings, 1 reply; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:08 UTC (permalink / raw)
  To: 47136

[-- Attachment #1: Type: text/plain, Size: 942 bytes --]

Hi Guix!

I was recently updating my certbot definition to use a manual DNS
challenge, and I found using the Let's Encrypt staging server along with
the --dry-run option to be really useful. Especially given it can take a
few attempts to correctly build your own hooks.

So I've added the option to set dry-run? in the certificate
configuration, let me know what you think!  I've also included a couple
of patches in the series for minor fixes, removing a now deprecated flag
and a small fix in the docs.

Thanks,
Pierre

Pierre Langlois (3):
  services: certbot: Remove deprecated --manual-public-ip-logging-ok.
  services: certbot: Refer to authentication-hook in documentation.
  services: certbot: Add dry-run? certificate option.

 doc/guix.texi            | 43 ++++++++++++++++++++++++++++++++++++----
 gnu/services/certbot.scm | 12 +++++++----
 2 files changed, 47 insertions(+), 8 deletions(-)

-- 
2.30.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.
  2021-03-14 13:08 [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes Pierre Langlois
@ 2021-03-14 13:15 ` Pierre Langlois
  2021-03-14 13:15   ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
                     ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:15 UTC (permalink / raw)
  To: 47136; +Cc: Pierre Langlois

The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
https://github.com/certbot/certbot/pull/8381

* gnu/sevices/certbot.scm (certbot-command): Remove
--manual-public-ip-logging-ok when doing a manual challenge.
---
 gnu/services/certbot.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1cea68fc2a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Pierre Langlois <pierre.langlois@gmx.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -103,7 +104,6 @@
                             "--manual"
                             (string-append "--preferred-challenges=" challenge)
                             "--cert-name" name
-                            "--manual-public-ip-logging-ok"
                             "-d" (string-join domains ","))
                       (if email
                           `("--email" ,email)
--
2.30.2





^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation.
  2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
@ 2021-03-14 13:15   ` Pierre Langlois
  2021-03-14 13:15   ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
  2021-03-14 13:22   ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
  2 siblings, 0 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:15 UTC (permalink / raw)
  To: 47136; +Cc: Pierre Langlois

* doc/guix.texi (Cerfiticate Services): Refer to non-abbreviated
authentication-hook instead of auth-hook.
---
 doc/guix.texi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 4cf241c56a..ec449b1772 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25651,10 +25651,10 @@ file name of the resource requested when performing an HTTP-01 challenge.

 @item @code{cleanup-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}.  For this command, the shell
-variables available in the @code{auth-hook} script are still available, and
-additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
-of the @code{auth-hook} script.
+have been answered by the @code{authentication-hook}.  For this command,
+the shell variables available in the @code{authentication-hook} script
+are still available, and additionally @code{$CERTBOT_AUTH_OUTPUT} will
+contain the standard output of the @code{authentication-hook} script.

 @item @code{deploy-hook} (default: @code{#f})
 Command to be run in a shell once for each successfully issued
--
2.30.2





^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
  2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
  2021-03-14 13:15   ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
@ 2021-03-14 13:15   ` Pierre Langlois
  2021-04-17 16:51     ` Pierre Langlois
  2021-03-14 13:22   ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
  2 siblings, 1 reply; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:15 UTC (permalink / raw)
  To: 47136; +Cc: Pierre Langlois

* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
 doc/guix.texi            | 35 +++++++++++++++++++++++++++++++++++
 gnu/services/certbot.scm | 10 +++++++---
 2 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.

+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}.  This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them.  It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option.  For example:
+
+@lisp
+(define %authentication-hook
+  (program-file "authentication-hook"
+    #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+            (token (getenv "CERTBOT_TOKEN")))
+        (format #t "Hey, can you authenticate ~a with ~a for me?"
+                domain token))))
+
+(define %cleanup-hook
+  (program-file "authentication-hook"
+    #~(display "Bye")
+
+(service certbot-service-type
+         (certbot-configuration
+          (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+          (certificates
+           (list
+            (certificate-configuration
+              (dry-run? #t)
+              (authentication-hook %authentication-hook)
+              (cleanup-hook %cleanup-hook)
+              (domains '("example.net" "www.example.net")))))))
+@end lisp
+
 @end table
 @end deftp

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
   (cleanup-hook        certificate-cleanup-hook
                        (default #f))
   (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f))
+  (dry-run?            certbot-configuration-dry-run?
                        (default #f)))

 (define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
               (match-lambda
                 (($ <certificate-configuration> custom-name domains challenge
                                                 authentication-hook cleanup-hook
-                                                deploy-hook)
+                                                deploy-hook dry-run?)
                  (let ((name (or custom-name (car domains))))
                    (if challenge
                      (append
@@ -114,7 +116,8 @@
                           `("--manual-auth-hook" ,authentication-hook)
                           '())
                       (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+                      (if dry-run? '("--dry-run")))
                      (append
                       (list name certbot "certonly" "-n" "--agree-tos"
                             "--webroot" "-w" webroot
@@ -125,7 +128,8 @@
                           '("--register-unsafely-without-email"))
                       (if server `("--server" ,server) '())
                       (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+                      (if dry-run? '("--dry-run") '()))))))
               certificates)))
        (program-file
         "certbot-command"
--
2.30.2





^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.
  2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
  2021-03-14 13:15   ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
  2021-03-14 13:15   ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
@ 2021-03-14 13:22   ` Pierre Langlois
  2 siblings, 0 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:22 UTC (permalink / raw)
  To: 47136; +Cc: Pierre Langlois

[-- Attachment #1: Type: text/plain, Size: 287 bytes --]


Pierre Langlois writes:

> The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
> https://github.com/certbot/certbot/pull/8381
>
> * gnu/sevices/certbot.scm (certbot-command): Remove
          ^
          |
Oups, I've got a typo here, fixed locally!

Thanks,
Pierre

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
  2021-03-14 13:15   ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
@ 2021-04-17 16:51     ` Pierre Langlois
  2021-04-17 17:38       ` Leo Famulari
  0 siblings, 1 reply; 8+ messages in thread
From: Pierre Langlois @ 2021-04-17 16:51 UTC (permalink / raw)
  To: 47136; +Cc: Pierre Langlois

[-- Attachment #1: Type: text/plain, Size: 4522 bytes --]

Hi all,

Friendly ping on this series :-).

Thanks,
Pierre

Pierre Langlois writes:

> * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
> (certbot-command): Use it to pass --dry-run to certbot.
> * doc/guix.texi (Certificate Services): Document dry-run? option.
> ---
>  doc/guix.texi            | 35 +++++++++++++++++++++++++++++++++++
>  gnu/services/certbot.scm | 10 +++++++---
>  2 files changed, 42 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index ec449b1772..322c717941 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
>  contain a space-delimited list of renewed certificate domains (for
>  example, @samp{"example.com www.example.com"}.
>
> +@item @code{dry-run?} (default: @code{#f})
> +Communitcate with the ACME server but do not update certificates nor

note-to-self, typo here: Communicate

> +trigger @code{deploy-hook}.  This is useful as a temporary setting to
> +test the challenge procedure, especially the @code{authentication-hook}
> +and @code{cleanup-hook} while working on them.  It's also a good idea to
> +use Let's Encrypt's staging server at
> +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
> +testing, which allows for higher rate limits, but with which
> +@code{certbot} will helpfully refuse to update certificates and
> +recommend the @code{dry-run?} option.  For example:
> +
> +@lisp
> +(define %authentication-hook
> +  (program-file "authentication-hook"
> +    #~(let ((domain (getenv "CERTBOT_DOMAIN"))
> +            (token (getenv "CERTBOT_TOKEN")))
> +        (format #t "Hey, can you authenticate ~a with ~a for me?"
> +                domain token))))
> +
> +(define %cleanup-hook
> +  (program-file "authentication-hook"
> +    #~(display "Bye")
> +
> +(service certbot-service-type
> +         (certbot-configuration
> +          (server "https://acme-staging-v02.api.letsencrypt.org/directory")
> +          (certificates
> +           (list
> +            (certificate-configuration
> +              (dry-run? #t)
> +              (authentication-hook %authentication-hook)
> +              (cleanup-hook %cleanup-hook)
> +              (domains '("example.net" "www.example.net")))))))
> +@end lisp
> +
>  @end table
>  @end deftp
>
> diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
> index 1cea68fc2a..15274cf0ed 100644
> --- a/gnu/services/certbot.scm
> +++ b/gnu/services/certbot.scm
> @@ -61,6 +61,8 @@
>    (cleanup-hook        certificate-cleanup-hook
>                         (default #f))
>    (deploy-hook         certificate-configuration-deploy-hook
> +                       (default #f))
> +  (dry-run?            certbot-configuration-dry-run?
>                         (default #f)))
>
>  (define-record-type* <certbot-configuration>
> @@ -96,7 +98,7 @@
>                (match-lambda
>                  (($ <certificate-configuration> custom-name domains challenge
>                                                  authentication-hook cleanup-hook
> -                                                deploy-hook)
> +                                                deploy-hook dry-run?)
>                   (let ((name (or custom-name (car domains))))
>                     (if challenge
>                       (append
> @@ -114,7 +116,8 @@
>                            `("--manual-auth-hook" ,authentication-hook)
>                            '())
>                        (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
> -                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
> +                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> +                      (if dry-run? '("--dry-run")))
>                       (append
>                        (list name certbot "certonly" "-n" "--agree-tos"
>                              "--webroot" "-w" webroot
> @@ -125,7 +128,8 @@
>                            '("--register-unsafely-without-email"))
>                        (if server `("--server" ,server) '())
>                        (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
> -                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
> +                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> +                      (if dry-run? '("--dry-run") '()))))))
>                certificates)))
>         (program-file
>          "certbot-command"


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
  2021-04-17 16:51     ` Pierre Langlois
@ 2021-04-17 17:38       ` Leo Famulari
  2021-04-17 18:05         ` Pierre Langlois
  0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2021-04-17 17:38 UTC (permalink / raw)
  To: Pierre Langlois; +Cc: 47136

On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
> Hi all,
> 
> Friendly ping on this series :-).

Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
means no changes to the manual or other translatable parts of Guix until
then.




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
  2021-04-17 17:38       ` Leo Famulari
@ 2021-04-17 18:05         ` Pierre Langlois
  0 siblings, 0 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-04-17 18:05 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 47136, Pierre Langlois

[-- Attachment #1: Type: text/plain, Size: 368 bytes --]

Hi Leo,

Leo Famulari writes:

> On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
>> Hi all,
>> 
>> Friendly ping on this series :-).
>
> Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
> means no changes to the manual or other translatable parts of Guix until
> then.

Aaah I see, thanks for the info!

Pierre


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-04-17 18:06 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-14 13:08 [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2021-03-14 13:15   ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
2021-03-14 13:15   ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
2021-04-17 16:51     ` Pierre Langlois
2021-04-17 17:38       ` Leo Famulari
2021-04-17 18:05         ` Pierre Langlois
2021-03-14 13:22   ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.