From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id GCHZAYp7uWXofQEAe85BDQ:P1 (envelope-from ) for ; Tue, 30 Jan 2024 23:43:22 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id GCHZAYp7uWXofQEAe85BDQ (envelope-from ) for ; Tue, 30 Jan 2024 23:43:22 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=Y9cxG5dP; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706654602; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=l4ZkU0dhbPdk/7Ev9vcCSy+6J42yDo9cP1Sf0CCpuUU=; b=oDJwzq1kM4V0W1SQxVmBWVh5MoQ9kYtuhTvQFmwDaLwHkNShg+SPdIdZAqOHmkfqLhX38G Kfo0xRqjRN8x7K+4QjY+irdDH8z+QrEj4WrDjlSAmd3Ea4MwMR0HLcfa+aCn6k6H4k+Wgs 3d4FOFK08wPJL1Dg7NslzNGNMrOYphFM+5zsr+hWTF+ndmFxDvYC9/1r6YN57cbvnKawAo ua4BephZhF0rzQz9s9xoZX4fwmOXM2jJtDW8stu8erTBw/r8AwVeAx5KjSq99gteO4AXtp lEzUEnKYPfGNtLXiAeBuq2vHndo1iQHaQOpb2ioDx9q4bkT7sZrYfWS9ffTtPg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=Y9cxG5dP; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706654602; a=rsa-sha256; cv=none; b=NwrSvaeTNg/Wm3C5Rd2euD5ogllrInxkyBcx9+HW6BuwDpHW5CgYgQWFLXhQ/AmWKjaRQb x75MU0cm+WP7pcQ6F9oQgOJ5yY8sF9Vbjr7V3IjfoPEk/ezU0P1fMvWujYJqx1KUNvbS/S WeRKUSCbpCQisB/pXv3R9pDcXRO230z1Z8sfgjKh/OtqJB/Hd7CGhnh0AJig7pd/asAYnV ZetOohYWlEWRoy44shj5qSeyMSpjQdM7JrH5XKGXKWqHJP4bcfZKgbsx7G+aAJ2a11Q6TF F89lNmrzZVZLNqm0UNZMUJEtih4zqvMQKpC40RHOTABIRqclMKWOd/aAzhV/OQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E8FB669D6F for ; Tue, 30 Jan 2024 23:43:21 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rUwod-0004I2-Bb; Tue, 30 Jan 2024 17:42:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUwoZ-0004Hr-R0 for guix-devel@gnu.org; Tue, 30 Jan 2024 17:42:47 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUwoX-0006JW-Ub for guix-devel@gnu.org; Tue, 30 Jan 2024 17:42:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=l4ZkU0dhbPdk/7E v9vcCSy+6J42yDo9cP1Sf0CCpuUU=; h=in-reply-to:date:subject:cc:to:from: references; d=zancanaro.id.au; b=Y9cxG5dPbqQ0G9RntEVwm9ZrZMFBruAIsgDQk 3Cqijdlwk66XXQslaqdc7ay+azv0r+uipiosnRvVImBEp6aVO0Ux4wTbAkiS4yeVIUQzft iIUIzoV3JAWxLVOEj3KuUNa99YwDxBxlwfqyfSXmR1BUWsM6ZJnLmrtr/YkspdA0= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id 7c55dca9 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 22:42:32 +0000 (UTC) References: <875xzanaer.fsf@lease-up.com> User-agent: mu4e 1.10.8; emacs 29.1 From: Carlo Zancanaro To: Felix Lechner Cc: 46961@debbugs.gnu.org, clement@lassieur.org, brice@waegenei.re, guix-devel@gnu.org Subject: Re: [PATCH v2 0/4] Make certbot play more nicely with nginx Date: Wed, 31 Jan 2024 08:48:54 +1100 In-reply-to: <875xzanaer.fsf@lease-up.com> Message-ID: <87r0hyphni.fsf@zancanaro.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=45.77.50.64; envelope-from=carlo@zancanaro.id.au; helo=voltorb.zancanaro.id.au X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -10.16 X-Migadu-Queue-Id: E8FB669D6F X-Spam-Score: -10.16 X-Migadu-Scanner: mx11.migadu.com X-TUID: 4YtkZLruBPsJ Hi Felix, On Tue, Jan 30 2024, Felix Lechner wrote: > On Tue, Jan 30 2024, Carlo Zancanaro wrote: >> certbot can't produce certificates without a functional nginx > > Yes, it can. The option is called --standalone. [1] You are correct, of course. If I had been more precise I would=20 have said "with our current configuration, certbot can't produce=20 certificates without a functional nginx". > Maybe another way to bootstrap the certificates would be to hold=20 > off on starting Nginx or Apache until all certificates are=20 > obtained? This could work, but I see a few downsides. As Cl=C3=A9ment has already mentioned, this would make nginx dependent=20 on certbot. This causes problems for servers disconnected from the=20 general internet, but it also shifts complexity into the nginx=20 service without much benefit over the patch series I'm proposing.=20 We'd need to add more configuration on the nginx side to control=20 whether to delay startup based on whether we actually want=20 certificates. This would delay the startup of the whole nginx=20 process, even if some server configurations don't require new=20 certificates. For renewal, we would also have two options: (1) use --standalone,=20 and require a period of downtime for our web server; or (2) use=20 --webroot, and maintain two code paths for the two cases. I think=20 it's a bad idea for Guix to make a decision that requires downtime=20 of user systems if there's an alternative, so I don't like (1).=20 Maintaining two "similar but different" code paths for (2) doesn't=20 seem like a clear advantage over the patch series I'm proposing. > Anyway, that's what I do manually. I use the DNS challenge type, with hooks which automatically=20 create/remove DNS records. This solves all the problems I'm=20 bringing up (i.e. doesn't require nginx, doesn't involve downtime,=20 has a single code path), but I don't think Guix can assume that=20 all users have the ability to do this. My aim with this patch=20 series is to make the default certbot configuration work for the=20 common case of a simple web server, without manual intervention. Carlo