From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id EFBgHEY0umX6vAAAqHPOHw:P1 (envelope-from ) for ; Wed, 31 Jan 2024 12:51:34 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id EFBgHEY0umX6vAAAqHPOHw (envelope-from ) for ; Wed, 31 Jan 2024 12:51:34 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zancanaro.id.au header.s=k1 header.b=GK3yWkrn; dmarc=fail reason="SPF not aligned (relaxed)" header.from=zancanaro.id.au (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706701894; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=oZ+bXOYVG1Q+K+ThC7CBgVBGXFvUk++38QnQewKqEjo=; b=uHMR1q/IzRJIyzgBiSTXixDonnlRLK3QOodfhy4PdEvbcQw9MKOrCfg++k8mZtA4qHZtbq YuYIIcabHAahtBVC695Lgplvz0C62O7UbTHwddanjU4/MD/q2paNCOVnGQXoSsfwyUhtsb LZ10Lowof/I3ov7CLesWpHSTeMDKI9UfnfU2+dgFuDCbAjRGmJL/wRBtcM5iZCQTGHI5l8 Yvz33vV3/CjzoERvqEQviUkRLzA7FJrtL57SN2LlcuvTOdINDhBTHx2IvMKNFkgONPg1Wx VScUCY9ryokiCLaDv+3jsED+jESkljgjZzr/nrrvZ6JqM9eF6qm02Xrnyl2lJA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zancanaro.id.au header.s=k1 header.b=GK3yWkrn; dmarc=fail reason="SPF not aligned (relaxed)" header.from=zancanaro.id.au (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706701894; a=rsa-sha256; cv=none; b=GObF4O1Dzp9j14uc30SJReWShlHunkmqkl/xXjQwqpuna7Ls4seD2IoLq0caAc5EjuV8oK GfG3wdeVFVIXZac7nnZULphWPzxTAFTPzDdAzJTOErJ25lORQKQuSVsmSdkH/cUTg/T72H vyTeWKnxhQfqQBlIh3aHfEGWdnFAuEycjEotKvzGjcAI9H2DsoZWAX9DU+/txsQYFVokt+ ajX9I+garUG3XZsZ8Ke95CbiUjReAGV3zPa3DVFqvb9ufveImJcQn2+TjMqBNtpMXMtCF8 er6d6S4BHQ8gBKwKKsyHd1AyfsBZHM73gnWAP248ba0wXJr9ePb26xHqmTyEPA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2AA7214610 for ; Wed, 31 Jan 2024 12:51:34 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rV97P-00058E-Cl; Wed, 31 Jan 2024 06:51:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rV97G-0004p5-TC for bug-guix@gnu.org; Wed, 31 Jan 2024 06:50:55 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rV97G-00033Y-Dm for bug-guix@gnu.org; Wed, 31 Jan 2024 06:50:54 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rV97P-0004mC-Nm for bug-guix@gnu.org; Wed, 31 Jan 2024 06:51:03 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs. Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 31 Jan 2024 11:51:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Cc: clement@lassieur.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170670184218300 (code B ref 46961); Wed, 31 Jan 2024 11:51:03 +0000 Received: (at 46961) by debbugs.gnu.org; 31 Jan 2024 11:50:42 +0000 Received: from localhost ([127.0.0.1]:37581 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV973-0004kz-69 for submit@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:41 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:44696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rV96v-0004jy-SB for 46961@debbugs.gnu.org; Wed, 31 Jan 2024 06:50:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=oZ+bXOYVG1Q+K+T hC7CBgVBGXFvUk++38QnQewKqEjo=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=GK3yWkrna7AlLxbiWVR0PvaMkfbZfZ8G7mfXO s6H4neSpjgmVHF6GTuIvUj3GmZeFgmCOArT28YMOlPLgLfsqz2ziJTNA6+R8TU3ADiv2pZ S/7k6hQCJC7QZA6TAh9FrtYkVP0nImZwcjlxIgrgMeJlXnPSjxTSV/p/bucqjUJ8= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id b9f9411d (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 31 Jan 2024 11:50:03 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 31 Jan 2024 11:46:23 +0000 Message-ID: <9a64f8740e07717adb373f5ce3099bf325ff9661.1706701585.git.carlo@zancanaro.id.au> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 3.83 X-Spam-Score: 3.83 X-Migadu-Queue-Id: 2AA7214610 X-Migadu-Scanner: mx12.migadu.com X-TUID: 8ZbtaU49w8xC * gnu/services/certbot.scm (): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d --- doc/guix.texi | 6 ++++ gnu/services/certbot.scm | 62 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 97be37f9b5..732abceb0f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32690,6 +32690,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 3926d0551a..10b99f5630 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -35,6 +35,7 @@ (define-module (gnu services certbot) #:use-module (guix records) #:use-module (guix gexp) #:use-module (srfi srfi-1) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration @@ -64,7 +65,9 @@ (define-record-type* (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* certbot-configuration make-certbot-configuration @@ -91,7 +94,10 @@ (define-record-type* (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ name (primary-domain other-domains ...) + challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append + "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" + other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(when (not (file-exists? #$directory)) + ;; We generate self-signed certificates in /etc/certs/{domain}, + ;; because certbot is very sensitive to its directory + ;; structure. It refuses to write over the top of existing files, + ;; so we need to use a directory outside of its control. + ;; + ;; These certificates are overwritten by the certbot deploy hook + ;; the first time it successfully obtains a letsencrypt-signed + ;; certificate. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list)))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -198,6 +246,14 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(let ((rsa-key-size (and rsa-key-size + (number->string rsa-key-size)))) + (map (generate-certificate-gexp certbot-cert-directory + rsa-key-size) + (filter certificate-configuration-start-self-signed? + certificates))) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0