From mboxrd@z Thu Jan 1 00:00:00 1970 From: swedebugia Subject: Re: Renewing certificates with certbot Date: Fri, 22 Feb 2019 18:57:26 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9LCPWiygwdcz45aCeH8DayMaXG9GpBSaX" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:37617) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gxK29-0000wo-2f for guix-devel@gnu.org; Fri, 22 Feb 2019 18:15:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gxK28-00049u-CD for guix-devel@gnu.org; Fri, 22 Feb 2019 18:15:09 -0500 Received: from mx1.riseup.net ([198.252.153.129]:34170) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gxK27-00040f-UL for guix-devel@gnu.org; Fri, 22 Feb 2019 18:15:08 -0500 Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id 1CE0F1A0216 for ; Fri, 22 Feb 2019 15:15:06 -0800 (PST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 679D6121391 for ; Fri, 22 Feb 2019 15:15:05 -0800 (PST) In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9LCPWiygwdcz45aCeH8DayMaXG9GpBSaX Content-Type: multipart/mixed; boundary="xai9SgS4p4twbYPIliA0el6OQukxksNxl"; protected-headers="v1" From: swedebugia To: guix-devel@gnu.org Message-ID: Subject: Re: Renewing certificates with certbot References: In-Reply-To: --xai9SgS4p4twbYPIliA0el6OQukxksNxl Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2019-02-22 14:49, Julien Lepiller wrote: > Hi, >=20 > I use certificates from let's encrypt for my website and mail servers, > and found that there was an issue with certificates generated by the > certbot service in Guix: the generated private keys are world-readable > (in a directory that cannot be accessed by anyone but root, so it's OK = I > guess). OpenSMTPD is not happy with that though, so I have to chmod the= > files every time. I came up with a variant of the deploy-hook that's > presented in the manual, and I'd like to update the example with it. > Here it is: >=20 > ;; Find running nginx and reload its configuration (for certificates) > (define %my-deploy-hook > =C2=A0 (program-file > =C2=A0=C2=A0 "my-deploy-hook" > =C2=A0=C2=A0 #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" r= ead)) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (cer= t-dir (getenv "RENEWED_LINEAGE")) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (pri= vkey (string-append cert-dir "/privkey.pem"))) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;; certbot private keys are world-= readable by default, and smtpd > complains > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;; about that, refusing to start o= therwise > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (chmod privkey #o600) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (kill pid SIGHUP)))) >=20 > What do you think? >=20 LGTM. --=20 Cheers Swedebugia --xai9SgS4p4twbYPIliA0el6OQukxksNxl-- --9LCPWiygwdcz45aCeH8DayMaXG9GpBSaX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQR6IWNlOiLn9hD6a1XPzUNbKAts0gUCXHA4BwAKCRDPzUNbKAts 0la9AP4khkvlM5sfpaPvTKRWoyj316FdEfKd4VofHu9WbCiy7gEAmUSc3UwWzWzf m6tgvUFDayCZWaw5VhsKTy1aHrXr2wY= =2pDZ -----END PGP SIGNATURE----- --9LCPWiygwdcz45aCeH8DayMaXG9GpBSaX--