From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33190)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e715h-00044R-OD
	for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e715e-0002eq-Gh
	for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:51342)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e715e-0002eb-Cj
	for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e715e-0000qc-0O
	for guix-patches@gnu.org; Tue, 24 Oct 2017 11:26:02 -0400
Subject: [bug#26685] certbot service experience
Resent-Message-ID: <handler.26685.B26685.15088587123187@debbugs.gnu.org>
References: <cucmvb1ehiv.fsf@igalia.com> <87tw56dhlp.fsf@dustycloud.org>
	<87eft3a804.fsf@gnu.org>
	<f16cd16b-d5b7-65b6-1eda-8e8298e32e15@tobias.gr>
	<20171024145324.GA20280@jasmine.lan>
From: Christopher Allan Webber <cwebber@dustycloud.org>
In-reply-to: <20171024145324.GA20280@jasmine.lan>
Date: Tue, 24 Oct 2017 10:25:09 -0500
Message-ID: <87y3o0lga2.fsf@dustycloud.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: wingo@igalia.com, 26685@debbugs.gnu.org, clement@lassieur.org

Leo Famulari writes:

> On Thu, Jul 27, 2017 at 07:30:48PM +0200, Tobias Geerinckx-Rice wrote:
>> If nobody objects, I'd like a few days to play with this before it gets
>> merged. It's a fine service, but I think it privileges the ‘--webroot’
>> plugin too much (‘-w’ is a plugin-specific option, not global). I'd
>> rather not have my mail box spin up nginx...
>
> I agree that we should, in the long run, offer a more generalized ACME
> client service.
>
> However, the --webroot method is not specific to any of the other
> plugins. Instead, it is a general purpose method of obtaining and
> renewing signed x509 certificates with a running webserver. Certbot
> requires no server-specific configuration with this method, and the
> server only needs to be configured to serve a particular directory which
> will contain the temporary cryptographic "challenge" file. It's not a
> very tight coupling.
>
> Since serving HTTPS is, in practice, one of the primary use cases for
> the x509 CA system (as opposed to self-signed certs), I think we should
> add the service as-is and let people generalize it as they see fit later
> on.

Sounds like the right approach to me.

I'll add a note about the service configuration possibly being unstable
to the docs and push this today.  I just did a rebase on my end.