From: Carlo Zancanaro <carlo@zancanaro.id.au>
To: Felix Lechner <felix.lechner@lease-up.com>
Cc: 46961@debbugs.gnu.org, clement@lassieur.org, brice@waegenei.re,
guix-devel@gnu.org
Subject: Re: [PATCH v2 0/4] Make certbot play more nicely with nginx
Date: Wed, 31 Jan 2024 08:48:54 +1100 [thread overview]
Message-ID: <87r0hyphni.fsf@zancanaro.id.au> (raw)
In-Reply-To: <875xzanaer.fsf@lease-up.com>
Hi Felix,
On Tue, Jan 30 2024, Felix Lechner wrote:
> On Tue, Jan 30 2024, Carlo Zancanaro wrote:
>> certbot can't produce certificates without a functional nginx
>
> Yes, it can. The option is called --standalone. [1]
You are correct, of course. If I had been more precise I would
have said "with our current configuration, certbot can't produce
certificates without a functional nginx".
> Maybe another way to bootstrap the certificates would be to hold
> off on starting Nginx or Apache until all certificates are
> obtained?
This could work, but I see a few downsides.
As Clément has already mentioned, this would make nginx dependent
on certbot. This causes problems for servers disconnected from the
general internet, but it also shifts complexity into the nginx
service without much benefit over the patch series I'm proposing.
We'd need to add more configuration on the nginx side to control
whether to delay startup based on whether we actually want
certificates. This would delay the startup of the whole nginx
process, even if some server configurations don't require new
certificates.
For renewal, we would also have two options: (1) use --standalone,
and require a period of downtime for our web server; or (2) use
--webroot, and maintain two code paths for the two cases. I think
it's a bad idea for Guix to make a decision that requires downtime
of user systems if there's an alternative, so I don't like (1).
Maintaining two "similar but different" code paths for (2) doesn't
seem like a clear advantage over the patch series I'm proposing.
> Anyway, that's what I do manually.
I use the DNS challenge type, with hooks which automatically
create/remove DNS records. This solves all the problems I'm
bringing up (i.e. doesn't require nginx, doesn't involve downtime,
has a single code path), but I don't think Guix can assume that
all users have the ability to do this. My aim with this patch
series is to make the default certbot configuration work for the
common case of a simple web server, without manual intervention.
Carlo
next prev parent reply other threads:[~2024-01-30 22:43 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-06 8:15 Nginx and certbot cervices don't play well togther Brice Waegeneire
2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro
2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-24 13:01 ` Carlo Zancanaro
2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-29 23:02 ` Carlo Zancanaro
2024-01-29 23:19 ` Clément Lassieur
2024-01-29 19:28 ` Clément Lassieur
2024-01-30 13:26 ` bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro
2024-01-30 13:26 ` Carlo Zancanaro
2024-01-30 14:49 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-30 21:48 ` Carlo Zancanaro [this message]
2024-01-31 0:04 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
[not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com>
2024-01-30 19:39 ` bug#46961: " Clément Lassieur
2024-04-13 1:17 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-04-14 11:42 ` Carlo Zancanaro
2024-04-14 13:51 ` Carlo Zancanaro
2024-04-14 16:25 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-31 11:46 ` bug#46961: [PATCH v3 " Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 3/4] services: certbot: Add a default deploy hook to reload nginx Carlo Zancanaro
2024-01-31 0:29 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-30 13:26 ` bug#46961: [PATCH v2 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro
2024-01-30 13:26 ` Carlo Zancanaro
2024-01-31 0:55 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-31 11:50 ` Carlo Zancanaro
2024-01-31 15:58 ` Clément Lassieur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0hyphni.fsf@zancanaro.id.au \
--to=carlo@zancanaro.id.au \
--cc=46961@debbugs.gnu.org \
--cc=brice@waegenei.re \
--cc=clement@lassieur.org \
--cc=felix.lechner@lease-up.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.