From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id AK4RIqHfG2bqhAAAqHPOHw:P1 (envelope-from ) for ; Sun, 14 Apr 2024 15:52:33 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id AK4RIqHfG2bqhAAAqHPOHw (envelope-from ) for ; Sun, 14 Apr 2024 15:52:33 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=p9r8tEao; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713102753; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=6clqiO0IKx35cuRr9hqE5yQcwadZn76vd+E0RoF2+ao=; b=oHOIriOocK8HprWxZTVbjUx5vTEnckbcrqE18HQZ4sQXb0Gh5RWhHh/PNL3SQyArAjDKJy CJNf8eQIwwT5nfmSNYYksyzhvTgFhkMA1TCOqcACmksobJt2tw9obr/T3BZEpsH98SpXuM wC12u8i/PpN2+FBYM9NIuIcDMuDN8Ur+w0u4ov3aAcyjGtRHh6wYg+0N3tuoDVHr342asC Ua/TC1fy0glk1CzQpDgRfKHMF4yRLxWQ/YER+JSgJrPn5NCfTGwQtelr57DTRrNj8b1VI/ OqOUMfG9MVZrJabOKCtEr3LXC0qFFJdvbXlZAd+AHBJ50SUKukOoVTp3uWB8Tg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713102753; a=rsa-sha256; cv=none; b=b4a2M5peQx1q2dVaV0unyn3PYTJ3uNRITXK7K7NMoUqPvYzywVfaI722wX3J4xhEFOlDNX PqdTQ+qL3QF/RQ2XEZlfbnIP+JLcnRev80T0j48sfGt7h1j9T5zVq0KJbeCbWevF3EmxkK SIaDpa/H0yFC3aWHMoogUUTCbue4I4dnHrxWIM0prcUa3FYa6Lr9ldFA7Xg6QjZkWusEfm jbjhwWan0ew/ldAvujN4GHOcRg5Do5vyR5niN2OR6HlzVNSqLVLxO7sxGfLAzO1v5ja3wb 9+R+es64q/6ua3L/Jjf6+FXSxCc6oVRQu9Ytqma2EXH+8/n8lpDGynIBBkDkwg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=p9r8tEao; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6DFED23AB1 for ; Sun, 14 Apr 2024 15:52:33 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rw0HH-0005UO-4P; Sun, 14 Apr 2024 09:52:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rw0HE-0005UA-Qp for guix-devel@gnu.org; Sun, 14 Apr 2024 09:52:13 -0400 Received: from voltorb.zancanaro.id.au ([45.77.50.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rw0H6-0005hV-5J for guix-devel@gnu.org; Sun, 14 Apr 2024 09:52:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=6clqiO0IKx35cuR r9hqE5yQcwadZn76vd+E0RoF2+ao=; h=date:references:in-reply-to:subject: cc:to:from; d=zancanaro.id.au; b=p9r8tEao16fQtE5g6tQ2kIfHuTufYc3biZUnD eQgj25NczNgQr+CUpJCkG5XsNQGLRTesZ3K6cseNqiGEzI5aJf6U3cK/uWxYp8CANhb9gk UKtE/xbz9/u7BPP1qAH2R+K2PxCApWRUtYgyDlANHE59MDAlYjQd6rhqXFy/nMXU= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id a171f80d (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 14 Apr 2024 13:51:54 +0000 (UTC) From: Carlo Zancanaro To: Felix Lechner Cc: =?utf-8?Q?Cl=C3=A9ment?= Lassieur , guix-devel@gnu.org Subject: Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx In-Reply-To: <871q7a2h8y.fsf@lease-up.com> (Felix Lechner via's message of "Fri, 12 Apr 2024 18:17:33 -0700") References: <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> <8734uevcf3.fsf@lassieur.org> <871q7a2h8y.fsf@lease-up.com> Date: Sun, 14 Apr 2024 23:51:58 +1000 Message-ID: <87sezovypt.fsf@zancanaro.id.au> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=45.77.50.64; envelope-from=carlo@zancanaro.id.au; helo=voltorb.zancanaro.id.au X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -7.40 X-Spam-Score: -7.40 X-Migadu-Queue-Id: 6DFED23AB1 X-Migadu-Scanner: mx12.migadu.com X-TUID: a+lBw4NRGyqt Apologies for the line breaks my earlier email. I'm not entirely sure what happened, but hopefully they'll come through properly this time. On Fri, Apr 12 2024, Felix Lechner wrote: > To my surprise OpenSSL, which I saw in proced, generated a lot of > certificates in /etc/certs. I am talking about pages and pages of > asterisk, plusses, and dots for a system with twenty or so certificates. > Is it possible that they were generated as a result of the patch? I expect the first reconfiguration after this change to create one self signed certificate in /etc/certs for each object in your certbot configuration. These self-signed certificates will then be replaced by symlinks to the certificates that cerbot generates after your next renewal (i.e. when the deploy hook runs). We could avoid generating unnecessary self-signed certificates by first checking if we already have certificates from certbot, and creating the symlink straight away if we can. About the "pages and pages" of output: it might be sensible to change the size of the self keys used in the self signed certificates. The current code uses the rsa-key-size from the , or 4096 if that is unset (the default). This is probably overkill given we don't actually need, or want, to use the initial certificates. We could instead use the smallest key size that openssl supports (512?). I'm not sure when I'll have time to make those changes, but they should be pretty straightforward if someone else has time before I do. > It would be unfavorable to create such certificates when they are not > needed. It reduces valuable server entropy. If you don't want the initial self signed certificate you can tell Guix not to generate it by setting start-self-signed? to #f on the object. Carlo