From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id cHtrHG7BG2YVVAAAqHPOHw:P1 (envelope-from ) for ; Sun, 14 Apr 2024 13:43:42 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id cHtrHG7BG2YVVAAAqHPOHw (envelope-from ) for ; Sun, 14 Apr 2024 13:43:42 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b="T/gjhZUu"; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713095022; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=n1t33lGy+7X4JhBoNd98lyenAoXhugjpbc23uwR97Ac=; b=kEvf7m6uQR3UlrC9HuBqDAT/YZXWvtX4n3104Xdy62pAn42RBjOD9O7vgmdYccIxDcXOYm CEV7NL7UwMV8hu2kYWz5R0fKStoWYCcDB21Rqt7ErHtfN9I1RPNl4caldUjUyyyDs3B/O7 3+OCNZbOZLQS/RLAscMU7VkYfvPgpB4pJT/bKoHFBOhajaAUD42kyLq8jxfQq525vSOQqp Pdc0E7NTTDVV2ZfRdz0S35hGBoYeILg0qi4jyA6yGJIqbRHvv3h9sssWvoCTte4ZveC+gO XSSI6m0bSttPiKmrPVyepukbMBi88q3jcknggr8LZofCzzcsUVhTXvtJkkJQHw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713095022; a=rsa-sha256; cv=none; b=MVeWzrqn1mz1hGmHYke2/y6345sifpSLHEfSHbrURCBqSKfNqc6RlogGLB7jaRdXCyJ495 p39ULRiRdcjljWipn6pmxGJeorcMJlFk7zwVKxG5glUOOl8xYW7JB/2/647YiyzHR51Zrc LVKEe/2aPa0qGeRneD6huSKdqFYc/JfBtBsPBR3zvdnPotFaf5S6UgST+x0e8waT74h1zL nHncWzpsXUIoP1N+Wy1vQi7r1qg5RjmnxLAoVBjYrgV5kCDBheqAQUZX9u2dBTK0K4rdpP pqYthvPCaOMaqbyB+Qdjhx3kx0uB3t6GJCb1qia3hZhHyo9wgKb4kISWa3tPSg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b="T/gjhZUu"; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 50CCE523A5 for ; Sun, 14 Apr 2024 13:43:42 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rvyG4-0001P9-Qw; Sun, 14 Apr 2024 07:42:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rvyG3-0001Of-0Q for guix-devel@gnu.org; Sun, 14 Apr 2024 07:42:51 -0400 Received: from voltorb.zancanaro.id.au ([45.77.50.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rvyG0-0000xM-Jo for guix-devel@gnu.org; Sun, 14 Apr 2024 07:42:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=n1t33lGy+7X4JhB oNd98lyenAoXhugjpbc23uwR97Ac=; h=date:references:in-reply-to:subject: cc:to:from; d=zancanaro.id.au; b=T/gjhZUugrzlrwDI6NjEKLMzMGNrIonlSrUlg BJ//8yGYserk+U3n60zHnGiZ8s9nB2eZn4nNBByNy+/QPWIDXhbTVmmf6oF2SSoUWp3zph Emii+zQLnMlLpPlcZ4nKA2ud2EG/4OaEbGW+fCkHs19vYBHPmqobqiHOca8e6trc= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 902c7642 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 14 Apr 2024 11:42:34 +0000 (UTC) From: Carlo Zancanaro To: Felix Lechner Cc: =?utf-8?Q?Cl=C3=A9ment?= Lassieur , guix-devel@gnu.org Subject: Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx In-Reply-To: <871q7a2h8y.fsf@lease-up.com> (Felix Lechner's message of "Fri, 12 Apr 2024 18:17:33 -0700") References: <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> <8734uevcf3.fsf@lassieur.org> <871q7a2h8y.fsf@lease-up.com> Date: Sun, 14 Apr 2024 21:42:39 +1000 Message-ID: <87r0f8qifk.fsf@zancanaro.id.au> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; format=flowed Received-SPF: pass client-ip=45.77.50.64; envelope-from=carlo@zancanaro.id.au; helo=voltorb.zancanaro.id.au X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -5.68 X-Spam-Score: -5.68 X-Migadu-Queue-Id: 50CCE523A5 X-Migadu-Scanner: mx13.migadu.com X-TUID: LtupP7/pioTS Hi Felix, On Fri, Apr 12 2024, Felix Lechner wrote: > To my surprise OpenSSL, which I saw in proced, generated a lot > of certificates in /etc/certs. I am talking about pages and > pages of asterisk, plusses, and dots for a system with twenty or > so certificates. Is it possible that they were generated as a > result of the patch? I expect the first reconfiguration after this change to create one self signed certificate in /etc/certs for each object in your certbot configuration. These self-signed certificates will then be replaced by symlinks to the certificates that cerbot generates after your next renewal (i.e. when the deploy hook runs). We could avoid generating unnecessary self-signed certificates by first checking if we already have certificates from certbot, and creating the symlink straight away if we can. About the "pages and pages" of output: it might be sensible to change the size of the self keys used in the self signed certificates. The current code uses the rsa-key-size from the , or 4096 if that is unset (the default). This is probably overkill given we don't actually need, or want, to use the initial certificates. We could instead use the smallest key size that openssl supports (512?). I'm not sure when I'll have time to make those changes, but they should be pretty straightforward if someone else has time before I do. > It would be unfavorable to create such certificates when they > are not needed. It reduces valuable server entropy. If you don't want the initial self signed certificate you can tell Guix not to generate it by setting start-self-signed? to #f on the object. Carlo