* [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes.
@ 2021-03-14 13:08 Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
0 siblings, 1 reply; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:08 UTC (permalink / raw)
To: 47136
[-- Attachment #1: Type: text/plain, Size: 942 bytes --]
Hi Guix!
I was recently updating my certbot definition to use a manual DNS
challenge, and I found using the Let's Encrypt staging server along with
the --dry-run option to be really useful. Especially given it can take a
few attempts to correctly build your own hooks.
So I've added the option to set dry-run? in the certificate
configuration, let me know what you think! I've also included a couple
of patches in the series for minor fixes, removing a now deprecated flag
and a small fix in the docs.
Thanks,
Pierre
Pierre Langlois (3):
services: certbot: Remove deprecated --manual-public-ip-logging-ok.
services: certbot: Refer to authentication-hook in documentation.
services: certbot: Add dry-run? certificate option.
doc/guix.texi | 43 ++++++++++++++++++++++++++++++++++++----
gnu/services/certbot.scm | 12 +++++++----
2 files changed, 47 insertions(+), 8 deletions(-)
--
2.30.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.
2021-03-14 13:08 [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes Pierre Langlois
@ 2021-03-14 13:15 ` Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:15 UTC (permalink / raw)
To: 47136; +Cc: Pierre Langlois
The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
https://github.com/certbot/certbot/pull/8381
* gnu/sevices/certbot.scm (certbot-command): Remove
--manual-public-ip-logging-ok when doing a manual challenge.
---
gnu/services/certbot.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1cea68fc2a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Pierre Langlois <pierre.langlois@gmx.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -103,7 +104,6 @@
"--manual"
(string-append "--preferred-challenges=" challenge)
"--cert-name" name
- "--manual-public-ip-logging-ok"
"-d" (string-join domains ","))
(if email
`("--email" ,email)
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation.
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
@ 2021-03-14 13:15 ` Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
2021-03-14 13:22 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2 siblings, 0 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:15 UTC (permalink / raw)
To: 47136; +Cc: Pierre Langlois
* doc/guix.texi (Cerfiticate Services): Refer to non-abbreviated
authentication-hook instead of auth-hook.
---
doc/guix.texi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 4cf241c56a..ec449b1772 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25651,10 +25651,10 @@ file name of the resource requested when performing an HTTP-01 challenge.
@item @code{cleanup-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}. For this command, the shell
-variables available in the @code{auth-hook} script are still available, and
-additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
-of the @code{auth-hook} script.
+have been answered by the @code{authentication-hook}. For this command,
+the shell variables available in the @code{authentication-hook} script
+are still available, and additionally @code{$CERTBOT_AUTH_OUTPUT} will
+contain the standard output of the @code{authentication-hook} script.
@item @code{deploy-hook} (default: @code{#f})
Command to be run in a shell once for each successfully issued
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
@ 2021-03-14 13:15 ` Pierre Langlois
2021-04-17 16:51 ` Pierre Langlois
2021-03-14 13:22 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2 siblings, 1 reply; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:15 UTC (permalink / raw)
To: 47136; +Cc: Pierre Langlois
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}. This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them. It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option. For example:
+
+@lisp
+(define %authentication-hook
+ (program-file "authentication-hook"
+ #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+ (token (getenv "CERTBOT_TOKEN")))
+ (format #t "Hey, can you authenticate ~a with ~a for me?"
+ domain token))))
+
+(define %cleanup-hook
+ (program-file "authentication-hook"
+ #~(display "Bye")
+
+(service certbot-service-type
+ (certbot-configuration
+ (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+ (certificates
+ (list
+ (certificate-configuration
+ (dry-run? #t)
+ (authentication-hook %authentication-hook)
+ (cleanup-hook %cleanup-hook)
+ (domains '("example.net" "www.example.net")))))))
+@end lisp
+
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
(cleanup-hook certificate-cleanup-hook
(default #f))
(deploy-hook certificate-configuration-deploy-hook
+ (default #f))
+ (dry-run? certbot-configuration-dry-run?
(default #f)))
(define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
- deploy-hook)
+ deploy-hook dry-run?)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -114,7 +116,8 @@
`("--manual-auth-hook" ,authentication-hook)
'())
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run")))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"--webroot" "-w" webroot
@@ -125,7 +128,8 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run") '()))))))
certificates)))
(program-file
"certbot-command"
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
@ 2021-03-14 13:22 ` Pierre Langlois
2 siblings, 0 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-03-14 13:22 UTC (permalink / raw)
To: 47136; +Cc: Pierre Langlois
[-- Attachment #1: Type: text/plain, Size: 287 bytes --]
Pierre Langlois writes:
> The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
> https://github.com/certbot/certbot/pull/8381
>
> * gnu/sevices/certbot.scm (certbot-command): Remove
^
|
Oups, I've got a typo here, fixed locally!
Thanks,
Pierre
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
2021-03-14 13:15 ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
@ 2021-04-17 16:51 ` Pierre Langlois
2021-04-17 17:38 ` Leo Famulari
0 siblings, 1 reply; 8+ messages in thread
From: Pierre Langlois @ 2021-04-17 16:51 UTC (permalink / raw)
To: 47136; +Cc: Pierre Langlois
[-- Attachment #1: Type: text/plain, Size: 4522 bytes --]
Hi all,
Friendly ping on this series :-).
Thanks,
Pierre
Pierre Langlois writes:
> * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
> (certbot-command): Use it to pass --dry-run to certbot.
> * doc/guix.texi (Certificate Services): Document dry-run? option.
> ---
> doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
> gnu/services/certbot.scm | 10 +++++++---
> 2 files changed, 42 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index ec449b1772..322c717941 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
> contain a space-delimited list of renewed certificate domains (for
> example, @samp{"example.com www.example.com"}.
>
> +@item @code{dry-run?} (default: @code{#f})
> +Communitcate with the ACME server but do not update certificates nor
note-to-self, typo here: Communicate
> +trigger @code{deploy-hook}. This is useful as a temporary setting to
> +test the challenge procedure, especially the @code{authentication-hook}
> +and @code{cleanup-hook} while working on them. It's also a good idea to
> +use Let's Encrypt's staging server at
> +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
> +testing, which allows for higher rate limits, but with which
> +@code{certbot} will helpfully refuse to update certificates and
> +recommend the @code{dry-run?} option. For example:
> +
> +@lisp
> +(define %authentication-hook
> + (program-file "authentication-hook"
> + #~(let ((domain (getenv "CERTBOT_DOMAIN"))
> + (token (getenv "CERTBOT_TOKEN")))
> + (format #t "Hey, can you authenticate ~a with ~a for me?"
> + domain token))))
> +
> +(define %cleanup-hook
> + (program-file "authentication-hook"
> + #~(display "Bye")
> +
> +(service certbot-service-type
> + (certbot-configuration
> + (server "https://acme-staging-v02.api.letsencrypt.org/directory")
> + (certificates
> + (list
> + (certificate-configuration
> + (dry-run? #t)
> + (authentication-hook %authentication-hook)
> + (cleanup-hook %cleanup-hook)
> + (domains '("example.net" "www.example.net")))))))
> +@end lisp
> +
> @end table
> @end deftp
>
> diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
> index 1cea68fc2a..15274cf0ed 100644
> --- a/gnu/services/certbot.scm
> +++ b/gnu/services/certbot.scm
> @@ -61,6 +61,8 @@
> (cleanup-hook certificate-cleanup-hook
> (default #f))
> (deploy-hook certificate-configuration-deploy-hook
> + (default #f))
> + (dry-run? certbot-configuration-dry-run?
> (default #f)))
>
> (define-record-type* <certbot-configuration>
> @@ -96,7 +98,7 @@
> (match-lambda
> (($ <certificate-configuration> custom-name domains challenge
> authentication-hook cleanup-hook
> - deploy-hook)
> + deploy-hook dry-run?)
> (let ((name (or custom-name (car domains))))
> (if challenge
> (append
> @@ -114,7 +116,8 @@
> `("--manual-auth-hook" ,authentication-hook)
> '())
> (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
> - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
> + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> + (if dry-run? '("--dry-run")))
> (append
> (list name certbot "certonly" "-n" "--agree-tos"
> "--webroot" "-w" webroot
> @@ -125,7 +128,8 @@
> '("--register-unsafely-without-email"))
> (if server `("--server" ,server) '())
> (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
> - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
> + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> + (if dry-run? '("--dry-run") '()))))))
> certificates)))
> (program-file
> "certbot-command"
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
2021-04-17 16:51 ` Pierre Langlois
@ 2021-04-17 17:38 ` Leo Famulari
2021-04-17 18:05 ` Pierre Langlois
0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2021-04-17 17:38 UTC (permalink / raw)
To: Pierre Langlois; +Cc: 47136
On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
> Hi all,
>
> Friendly ping on this series :-).
Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
means no changes to the manual or other translatable parts of Guix until
then.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
2021-04-17 17:38 ` Leo Famulari
@ 2021-04-17 18:05 ` Pierre Langlois
0 siblings, 0 replies; 8+ messages in thread
From: Pierre Langlois @ 2021-04-17 18:05 UTC (permalink / raw)
To: Leo Famulari; +Cc: 47136, Pierre Langlois
[-- Attachment #1: Type: text/plain, Size: 368 bytes --]
Hi Leo,
Leo Famulari writes:
> On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
>> Hi all,
>>
>> Friendly ping on this series :-).
>
> Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
> means no changes to the manual or other translatable parts of Guix until
> then.
Aaah I see, thanks for the info!
Pierre
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-04-17 18:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-14 13:08 [bug#47136] [PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 2/3] services: certbot: Refer to authentication-hook in documentation Pierre Langlois
2021-03-14 13:15 ` [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option Pierre Langlois
2021-04-17 16:51 ` Pierre Langlois
2021-04-17 17:38 ` Leo Famulari
2021-04-17 18:05 ` Pierre Langlois
2021-03-14 13:22 ` [bug#47136] [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok Pierre Langlois
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.