From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42093) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJvC9-0004Hc-B1 for guix-patches@gnu.org; Wed, 29 Nov 2017 00:46:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJvC6-0005FY-9D for guix-patches@gnu.org; Wed, 29 Nov 2017 00:46:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:55112) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eJvC6-0005FT-5J for guix-patches@gnu.org; Wed, 29 Nov 2017 00:46:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eJvC5-0001mH-Mh for guix-patches@gnu.org; Wed, 29 Nov 2017 00:46:01 -0500 Subject: [bug#26685] certbot service experience Resent-Message-ID: References: <87tw56dhlp.fsf@dustycloud.org> <87eft3a804.fsf@gnu.org> <87tw0z4u5k.fsf@gnu.org> <87h8wymivl.fsf@dustycloud.org> <871slsmxkq.fsf@dustycloud.org> <87a80gpl3c.fsf@gnu.org> <87bmjmrppp.fsf@gnu.org> From: Christopher Allan Webber In-reply-to: <87bmjmrppp.fsf@gnu.org> Date: Tue, 28 Nov 2017 23:45:31 -0600 Message-ID: <87shcxwsck.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: wingo@igalia.com, 26685-done@debbugs.gnu.org, clement@lassieur.org Ludovic Courtès writes: > Hello! > > Since everyone was so hesitant I was so blissful ;-), I went ahead and > pushed this patch as commit c2e5d74997bdb57dc35e0189188c6917cd5f0f19! > \o/ > > I think it’s better than the status quo, because even if it’s not > perfect, it *is* useful as it is. We can start from here if there are > ideas on how to improve it. > > Ludo’. Yay! But oh nooooo! I really should have replied to this! I had stopped working on it because I got overloaded with final-push situation in ActivityPub. Maybe this is worth moving to the mailing list instead, but one reason I didn't push it was I had discovered a significant and serious issue... building a system based off of its config is no longer determistic based off of the system config alone... because this checks for the rpesence of nginx-server-configuration-ssl-certificate at *build* time of the system config. The following code is the culprit: (define (emit-nginx-server-config server) ;; [...] (for-each (match-lambda ((record-key . file) (if (and file (not (file-exists? file))) (error (simple-format #f "~A in the nginx configuration for the server with name \"~A\" does not exist" record-key server-name))))) `(("ssl-certificate" . ,ssl-certificate) ("ssl-certificate-key" . ,ssl-certificate-key))) Relatedly, the current setup has these defaults: (ssl-certificate nginx-server-configuration-ssl-certificate (default "/etc/nginx/cert.pem")) (ssl-certificate-key nginx-server-configuration-ssl-certificate-key (default "/etc/nginx/key.pem")) IMO they should probably default to #f so that looking for the files doesn't fail to boot nginx.