From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33190) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e715h-00044R-OD for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e715e-0002eq-Gh for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:51342) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e715e-0002eb-Cj for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1e715e-0000qc-0O for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:02 -0400 Subject: [bug#26685] certbot service experience Resent-Message-ID: References: <87tw56dhlp.fsf@dustycloud.org> <87eft3a804.fsf@gnu.org> <20171024145324.GA20280@jasmine.lan> From: Christopher Allan Webber In-reply-to: <20171024145324.GA20280@jasmine.lan> Date: Tue, 24 Oct 2017 10:25:09 -0500 Message-ID: <87y3o0lga2.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari Cc: wingo@igalia.com, 26685@debbugs.gnu.org, clement@lassieur.org Leo Famulari writes: > On Thu, Jul 27, 2017 at 07:30:48PM +0200, Tobias Geerinckx-Rice wrote: >> If nobody objects, I'd like a few days to play with this before it gets >> merged. It's a fine service, but I think it privileges the ‘--webroot’ >> plugin too much (‘-w’ is a plugin-specific option, not global). I'd >> rather not have my mail box spin up nginx... > > I agree that we should, in the long run, offer a more generalized ACME > client service. > > However, the --webroot method is not specific to any of the other > plugins. Instead, it is a general purpose method of obtaining and > renewing signed x509 certificates with a running webserver. Certbot > requires no server-specific configuration with this method, and the > server only needs to be configured to serve a particular directory which > will contain the temporary cryptographic "challenge" file. It's not a > very tight coupling. > > Since serving HTTPS is, in practice, one of the primary use cases for > the x509 CA system (as opposed to self-signed certs), I think we should > add the service as-is and let people generalize it as they see fit later > on. Sounds like the right approach to me. I'll add a note about the service configuration possibly being unstable to the docs and push this today. I just did a rebase on my end.