[-- Attachment #1: Type: text/plain, Size: 942 bytes --] Hi Guix! I was recently updating my certbot definition to use a manual DNS challenge, and I found using the Let's Encrypt staging server along with the --dry-run option to be really useful. Especially given it can take a few attempts to correctly build your own hooks. So I've added the option to set dry-run? in the certificate configuration, let me know what you think! I've also included a couple of patches in the series for minor fixes, removing a now deprecated flag and a small fix in the docs. Thanks, Pierre Pierre Langlois (3): services: certbot: Remove deprecated --manual-public-ip-logging-ok. services: certbot: Refer to authentication-hook in documentation. services: certbot: Add dry-run? certificate option. doc/guix.texi | 43 ++++++++++++++++++++++++++++++++++++---- gnu/services/certbot.scm | 12 +++++++---- 2 files changed, 47 insertions(+), 8 deletions(-) -- 2.30.2 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]
The --manual-public-ip-logging-ok flag is now a no-op and was deprecated https://github.com/certbot/certbot/pull/8381 * gnu/sevices/certbot.scm (certbot-command): Remove --manual-public-ip-logging-ok when doing a manual challenge. --- gnu/services/certbot.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 1c67ff63f1..1cea68fc2a 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu> ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2021 Pierre Langlois <pierre.langlois@gmx.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -103,7 +104,6 @@ "--manual" (string-append "--preferred-challenges=" challenge) "--cert-name" name - "--manual-public-ip-logging-ok" "-d" (string-join domains ",")) (if email `("--email" ,email) -- 2.30.2
* doc/guix.texi (Cerfiticate Services): Refer to non-abbreviated authentication-hook instead of auth-hook. --- doc/guix.texi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 4cf241c56a..ec449b1772 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25651,10 +25651,10 @@ file name of the resource requested when performing an HTTP-01 challenge. @item @code{cleanup-hook} (default: @code{#f}) Command to be run in a shell once for each certificate challenge that -have been answered by the @code{auth-hook}. For this command, the shell -variables available in the @code{auth-hook} script are still available, and -additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output -of the @code{auth-hook} script. +have been answered by the @code{authentication-hook}. For this command, +the shell variables available in the @code{authentication-hook} script +are still available, and additionally @code{$CERTBOT_AUTH_OUTPUT} will +contain the standard output of the @code{authentication-hook} script. @item @code{deploy-hook} (default: @code{#f}) Command to be run in a shell once for each successfully issued -- 2.30.2
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field. (certbot-command): Use it to pass --dry-run to certbot. * doc/guix.texi (Certificate Services): Document dry-run? option. --- doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++ gnu/services/certbot.scm | 10 +++++++--- 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index ec449b1772..322c717941 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{dry-run?} (default: @code{#f}) +Communitcate with the ACME server but do not update certificates nor +trigger @code{deploy-hook}. This is useful as a temporary setting to +test the challenge procedure, especially the @code{authentication-hook} +and @code{cleanup-hook} while working on them. It's also a good idea to +use Let's Encrypt's staging server at +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while +testing, which allows for higher rate limits, but with which +@code{certbot} will helpfully refuse to update certificates and +recommend the @code{dry-run?} option. For example: + +@lisp +(define %authentication-hook + (program-file "authentication-hook" + #~(let ((domain (getenv "CERTBOT_DOMAIN")) + (token (getenv "CERTBOT_TOKEN"))) + (format #t "Hey, can you authenticate ~a with ~a for me?" + domain token)))) + +(define %cleanup-hook + (program-file "authentication-hook" + #~(display "Bye") + +(service certbot-service-type + (certbot-configuration + (server "https://acme-staging-v02.api.letsencrypt.org/directory") + (certificates + (list + (certificate-configuration + (dry-run? #t) + (authentication-hook %authentication-hook) + (cleanup-hook %cleanup-hook) + (domains '("example.net" "www.example.net"))))))) +@end lisp + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 1cea68fc2a..15274cf0ed 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -61,6 +61,8 @@ (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook + (default #f)) + (dry-run? certbot-configuration-dry-run? (default #f))) (define-record-type* <certbot-configuration> @@ -96,7 +98,7 @@ (match-lambda (($ <certificate-configuration> custom-name domains challenge authentication-hook cleanup-hook - deploy-hook) + deploy-hook dry-run?) (let ((name (or custom-name (car domains)))) (if challenge (append @@ -114,7 +116,8 @@ `("--manual-auth-hook" ,authentication-hook) '()) (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) + (if dry-run? '("--dry-run"))) (append (list name certbot "certonly" "-n" "--agree-tos" "--webroot" "-w" webroot @@ -125,7 +128,8 @@ '("--register-unsafely-without-email")) (if server `("--server" ,server) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) + (if dry-run? '("--dry-run") '())))))) certificates))) (program-file "certbot-command" -- 2.30.2
[-- Attachment #1: Type: text/plain, Size: 287 bytes --] Pierre Langlois writes: > The --manual-public-ip-logging-ok flag is now a no-op and was deprecated > https://github.com/certbot/certbot/pull/8381 > > * gnu/sevices/certbot.scm (certbot-command): Remove ^ | Oups, I've got a typo here, fixed locally! Thanks, Pierre [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]
[-- Attachment #1: Type: text/plain, Size: 4522 bytes --] Hi all, Friendly ping on this series :-). Thanks, Pierre Pierre Langlois writes: > * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field. > (certbot-command): Use it to pass --dry-run to certbot. > * doc/guix.texi (Certificate Services): Document dry-run? option. > --- > doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++ > gnu/services/certbot.scm | 10 +++++++--- > 2 files changed, 42 insertions(+), 3 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index ec449b1772..322c717941 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will > contain a space-delimited list of renewed certificate domains (for > example, @samp{"example.com www.example.com"}. > > +@item @code{dry-run?} (default: @code{#f}) > +Communitcate with the ACME server but do not update certificates nor note-to-self, typo here: Communicate > +trigger @code{deploy-hook}. This is useful as a temporary setting to > +test the challenge procedure, especially the @code{authentication-hook} > +and @code{cleanup-hook} while working on them. It's also a good idea to > +use Let's Encrypt's staging server at > +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while > +testing, which allows for higher rate limits, but with which > +@code{certbot} will helpfully refuse to update certificates and > +recommend the @code{dry-run?} option. For example: > + > +@lisp > +(define %authentication-hook > + (program-file "authentication-hook" > + #~(let ((domain (getenv "CERTBOT_DOMAIN")) > + (token (getenv "CERTBOT_TOKEN"))) > + (format #t "Hey, can you authenticate ~a with ~a for me?" > + domain token)))) > + > +(define %cleanup-hook > + (program-file "authentication-hook" > + #~(display "Bye") > + > +(service certbot-service-type > + (certbot-configuration > + (server "https://acme-staging-v02.api.letsencrypt.org/directory") > + (certificates > + (list > + (certificate-configuration > + (dry-run? #t) > + (authentication-hook %authentication-hook) > + (cleanup-hook %cleanup-hook) > + (domains '("example.net" "www.example.net"))))))) > +@end lisp > + > @end table > @end deftp > > diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm > index 1cea68fc2a..15274cf0ed 100644 > --- a/gnu/services/certbot.scm > +++ b/gnu/services/certbot.scm > @@ -61,6 +61,8 @@ > (cleanup-hook certificate-cleanup-hook > (default #f)) > (deploy-hook certificate-configuration-deploy-hook > + (default #f)) > + (dry-run? certbot-configuration-dry-run? > (default #f))) > > (define-record-type* <certbot-configuration> > @@ -96,7 +98,7 @@ > (match-lambda > (($ <certificate-configuration> custom-name domains challenge > authentication-hook cleanup-hook > - deploy-hook) > + deploy-hook dry-run?) > (let ((name (or custom-name (car domains)))) > (if challenge > (append > @@ -114,7 +116,8 @@ > `("--manual-auth-hook" ,authentication-hook) > '()) > (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '()) > - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())) > + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) > + (if dry-run? '("--dry-run"))) > (append > (list name certbot "certonly" "-n" "--agree-tos" > "--webroot" "-w" webroot > @@ -125,7 +128,8 @@ > '("--register-unsafely-without-email")) > (if server `("--server" ,server) '()) > (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) > - (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))) > + (if deploy-hook `("--deploy-hook" ,deploy-hook) '()) > + (if dry-run? '("--dry-run") '())))))) > certificates))) > (program-file > "certbot-command" [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]
On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
> Hi all,
>
> Friendly ping on this series :-).
Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
means no changes to the manual or other translatable parts of Guix until
then.
[-- Attachment #1: Type: text/plain, Size: 368 bytes --] Hi Leo, Leo Famulari writes: > On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote: >> Hi all, >> >> Friendly ping on this series :-). > > Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This > means no changes to the manual or other translatable parts of Guix until > then. Aaah I see, thanks for the info! Pierre [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 519 bytes --]