* bug#50872: Prosody service + letsencrypt certs improvements
@ 2021-09-28 17:01 Christine Lemmer-Webber
2021-09-29 21:06 ` Carlo Zancanaro
0 siblings, 1 reply; 3+ messages in thread
From: Christine Lemmer-Webber @ 2021-09-28 17:01 UTC (permalink / raw)
To: 50872
I finally got prosody working on my server using Guix. However, the
manual says:
Prosodyctl will also help you to import certificates from the
‘letsencrypt’ directory so that the ‘prosody’ user can access them. See
<https://prosody.im/doc/letsencrypt>.
prosodyctl --root cert import /etc/letsencrypt/live
However, what prosody actually does with this command is that it copies
the files from letsencrypt *over to* its own directory (but then also
restarts prosody... in theory). According to the docs:
This command can be put in cron or passed as a callback to automated
certificate renewal programs such as certbot or other Let's Encrypt
clients. For more information on using Prosody with these, see our
Let's Encrypt page.
Hm, in other words we really ought to run this attached to some hook
related to the letsencrypt services... when they renew successfully, it
should trigger this command, I'd think. We do similar things for nginx,
etc...
Thoughts? Does this seem right?
- Christine
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#50872: Prosody service + letsencrypt certs improvements
2021-09-28 17:01 bug#50872: Prosody service + letsencrypt certs improvements Christine Lemmer-Webber
@ 2021-09-29 21:06 ` Carlo Zancanaro
2021-09-29 23:43 ` Christine Lemmer-Webber
0 siblings, 1 reply; 3+ messages in thread
From: Carlo Zancanaro @ 2021-09-29 21:06 UTC (permalink / raw)
To: Christine Lemmer-Webber; +Cc: 50872
Hi Christine,
On Tue, Sep 28 2021, Christine Lemmer-Webber wrote:
> Hm, in other words we really ought to run this attached to some
> hook related to the letsencrypt services... when they renew
> successfully, it should trigger this command, I'd think. We do
> similar things for nginx, etc...
I'm pretty sure Guix doesn't do anything automatic when
certificates are renewed. For nginx there's an example in the
manual for how to set up a deploy hook to reload the
certificates[1], so I expect that you'll have to set up something
similar.
My prosody setup has this deploy hook:
(program-file
"reload-certificates"
#~(let ((prosodyctl (string-append #$(specification->package
"prosody")
"/bin/prosodyctl")))
(system* prosodyctl "--root" "cert" "import"
"/etc/letsencrypt/live")
(system* prosodyctl "reload")))
but I have recently had some trouble with it (prosody hasn't been
reloading the certificate properly). I don't think my issue is
related to this deploy hook, though.
I hope that helps!
Carlo
[1]:
https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#50872: Prosody service + letsencrypt certs improvements
2021-09-29 21:06 ` Carlo Zancanaro
@ 2021-09-29 23:43 ` Christine Lemmer-Webber
0 siblings, 0 replies; 3+ messages in thread
From: Christine Lemmer-Webber @ 2021-09-29 23:43 UTC (permalink / raw)
To: Carlo Zancanaro; +Cc: 50872-done
Carlo Zancanaro <carlo@zancanaro.id.au> writes:
> Hi Christine,
>
> On Tue, Sep 28 2021, Christine Lemmer-Webber wrote:
>> Hm, in other words we really ought to run this attached to some hook
>> related to the letsencrypt services... when they renew successfully,
>> it should trigger this command, I'd think. We do similar things for
>> nginx, etc...
>
> I'm pretty sure Guix doesn't do anything automatic when certificates
> are renewed. For nginx there's an example in the manual for how to set
> up a deploy hook to reload the certificates[1], so I expect that
> you'll have to set up something similar.
You're right... not sure why I thought it did.
> My prosody setup has this deploy hook:
>
> (program-file
> "reload-certificates"
> #~(let ((prosodyctl (string-append #$(specification->package
> "prosody")
> "/bin/prosodyctl")))
> (system* prosodyctl "--root" "cert" "import"
> "/etc/letsencrypt/live")
> (system* prosodyctl "reload")))
>
> but I have recently had some trouble with it (prosody hasn't been
> reloading the certificate properly). I don't think my issue is
> related to this deploy hook, though.
That seems great. I'll give it a try.
Since this isn't significantly different from other services then (well,
excepting that prosody needs to not just reload but have the import
command run again... but you've provided what looks like a good solution
above) I'm going to close this.
> I hope that helps!
It does, thanks!
> Carlo
>
> [1]:
> https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-29 23:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-28 17:01 bug#50872: Prosody service + letsencrypt certs improvements Christine Lemmer-Webber
2021-09-29 21:06 ` Carlo Zancanaro
2021-09-29 23:43 ` Christine Lemmer-Webber
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.