From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id YIGoGwMOsWWmrgAA62LTzQ:P1 (envelope-from ) for ; Wed, 24 Jan 2024 14:17:55 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id YIGoGwMOsWWmrgAA62LTzQ (envelope-from ) for ; Wed, 24 Jan 2024 14:17:55 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zancanaro.id.au header.s=k1 header.b="mwiG6/QN"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=zancanaro.id.au (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706102275; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=wa7U5VqDclMDNhyM1RfWefa8EZIi95FPYC+9E82MhLk=; b=Hk02q152jzkHfQD6miGg9botFIhCh1ODvfwUHZo8qSh0ht/HIriMYetab1n0WNl1K7Hr2Q p+y3HDb4D7im+bYDtJxT6OZ+VCWb3SBWwapocbuKUI1xCmG3ppTeQzCFEx6wpDE9nxvk5F rjtmHDOHng109wOgKJmxHKMCMLhljS5DdACRPhtlzgkx1kAKkM824SIYfOqNCzMJYPPuOz DRP4O/rDtqkVc9UQ4sR87SJ7TIvXM8pUWHPuHxrf6s4VUsQ32nki6trYCPD2kCS9MSqNwI hUFHMaIMVCDNzBou2nNd8fXJXwL8ppj0PEqUoIN0MXXCC9uwyjrexO2twRYUXA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zancanaro.id.au header.s=k1 header.b="mwiG6/QN"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=zancanaro.id.au (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706102275; a=rsa-sha256; cv=none; b=E6gD8N5xFR5aJJ2CNlm27IDFvcYzKPuRgZZSYms4mNH4fdJ2KkWD1TvJH0fwCbHmNpEfN0 vU0meUBU2v3EasfC5UzHTWpZZ8GVhmtfGGyiUPYI1Sh3rfW9miIsplTOBb8VZlQMp5lsq1 tbfzNBx+ZqJyumTVjm76zxk4qiMVN/ghHj3446SLmMTEq5tKGJfQByiV6mO5Pq0uDeAxVi ZWl4kcrjvScaDAR8nj0T0dcgmzhHdygslWttmodHz+HDHDHxqDr987E8Am1SHaY13RY79D sp673dYt+CcsxDAgRQXbU0RD+v1VBpZk7eha1MnnUdV3J9wbZCopgltN1oeNpA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5B30B305D0 for ; Wed, 24 Jan 2024 14:17:55 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rScp1-00042o-NM; Wed, 24 Jan 2024 07:57:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rScoM-0003Rx-6i for bug-guix@gnu.org; Wed, 24 Jan 2024 07:57:00 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rScoK-0001IU-OX for bug-guix@gnu.org; Wed, 24 Jan 2024 07:56:57 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rScoP-0003uT-OT for bug-guix@gnu.org; Wed, 24 Jan 2024 07:57:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run References: <87pn0cy9yv.fsf@waegenei.re> In-Reply-To: <87pn0cy9yv.fsf@waegenei.re> Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 24 Jan 2024 12:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46961@debbugs.gnu.org Received: via spool by 46961-submit@debbugs.gnu.org id=B46961.170610100814973 (code B ref 46961); Wed, 24 Jan 2024 12:57:01 +0000 Received: (at 46961) by debbugs.gnu.org; 24 Jan 2024 12:56:48 +0000 Received: from localhost ([127.0.0.1]:44715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoC-0003tR-Fk for submit@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:48 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]:32908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rScoA-0003t2-8C for 46961@debbugs.gnu.org; Wed, 24 Jan 2024 07:56:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=wa7U5VqDclMDNhy M1RfWefa8EZIi95FPYC+9E82MhLk=; h=date:subject:to:from; d=zancanaro.id.au; b=mwiG6/QNXxtUlt/0CvMNlMccjQEOAsGUoUw+Vu9mPZwxYxgB3 IJ+KKjwrYMVKpbod2Q9KK5yf06hpPjjEbDvqdoGRfCC+2nZszNSQnN2X/SCXp50Qsmb+IU DT4TiQuFXFBR8VqHxuDt+qZy6IlQykMExhtSWelgEUL6dDPdqF3c= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id eb113c6e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <46961@debbugs.gnu.org>; Wed, 24 Jan 2024 12:56:25 +0000 (UTC) From: Carlo Zancanaro Date: Wed, 24 Jan 2024 23:18:36 +1100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 4.04 X-Spam-Score: 4.04 X-Migadu-Queue-Id: 5B30B305D0 X-Migadu-Scanner: mx12.migadu.com X-TUID: l4ZkhZAwRis7 >From time to time people have issues with setting up a new system with certbot generating certificates for an nginx server. The issue is that nginx won't start without being able to load certificates, but certbot can't generate certificates (through the default HTTP challenge) without a running nginx server. Breaking this has generally required two reconfigures: one with nginx configured without loading certificates, and then a second reconfigure after running certbot to add the certificate configuration. This is a bit of a pain, so I've made Guix generate a self-signed certificate to allow nginx to start before certbot has run. Unfortunately, I couldn't put the certificates in the same location as certbot, because certbot is very particular about its directories not existing when it requests a certificate for the first time. Rather than try to convince it to do what I wanted, I opted to add another level of indirection and move certificates to /etc/certs/. This is backwards compatible, because the old /etc/letsenctypt/live/ is maintained by certbot. The only real difference is for the initial bootstrapping of a certificate. Carlo Zancanaro (2): services: certbot: Symlink certificates to /etc/certs services: certbot: Create self-signed certificates before certbot runs doc/guix.texi | 32 +++++++++------ gnu/services/certbot.scm | 86 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 102 insertions(+), 16 deletions(-) base-commit: ffc5fefce370f5fc01091869e13fdf525be1e0c0 -- 2.41.0