From: Carlo Zancanaro <carlo@zancanaro.id.au>
To: 46961@debbugs.gnu.org
Cc: guix-devel@gnu.org, brice@waegenei.re, clement@lassieur.org
Subject: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx
Date: Tue, 30 Jan 2024 13:26:36 +0000 [thread overview]
Message-ID: <cover.1706621200.git.carlo@zancanaro.id.au> (raw)
In-Reply-To: <cover.1706098718.git.carlo@zancanaro.id.au>
Hi Guix,
This patch series is a few changes to make certbot default to doing
"the right thing" in the common case of wanting certificates for an
nginx web server.
The initial change (in v1 of these patches) was to solve the certbot
bootstrapping problem. Nginx won't start without valid certificates,
but certbot can't produce certificates without a functional
nginx. This is solved by generating self-signed certificates to start
with, and then replacing them once certbot has run. Doing this
requires storing certificates in a different location (because certbot
is very particular). I've chosen /etc/certs/.
The other two changes (new to v2 of this series) make things a bit
easier to use: a one-shot shepherd service to renew certificates when
the machine starts up, and a default deploy-hook to reload the nginx
configuration (which picks up the new certificates). I think these
changes make certbot "do the right thing", at the expense of being
slightly more magical.
On IRC podiki suggested I should copy guix-devel and Brice (the
original bug reporter), so I've done that, too.
Carlo Zancanaro (4):
services: certbot: Symlink certificates to /etc/certs.
services: certbot: Create self-signed certificates before certbot
runs.
services: certbot: Add a default deploy hook to reload nginx.
services: certbot: Add one-shot service to renew certificates.
doc/guix.texi | 38 ++++++---
gnu/services/certbot.scm | 178 ++++++++++++++++++++++++++++++++++++---
2 files changed, 188 insertions(+), 28 deletions(-)
base-commit: 144c95032e517bb8ce466b930fe91506bcc92b2b
--
2.41.0
WARNING: multiple messages have this Message-ID (diff)
From: Carlo Zancanaro <carlo@zancanaro.id.au>
To: 46961@debbugs.gnu.org
Cc: clement@lassieur.org, brice@waegenei.re, guix-devel@gnu.org
Subject: [PATCH v2 0/4] Make certbot play more nicely with nginx
Date: Tue, 30 Jan 2024 13:26:36 +0000 [thread overview]
Message-ID: <cover.1706621200.git.carlo@zancanaro.id.au> (raw)
In-Reply-To: <cover.1706098718.git.carlo@zancanaro.id.au>
Hi Guix,
This patch series is a few changes to make certbot default to doing
"the right thing" in the common case of wanting certificates for an
nginx web server.
The initial change (in v1 of these patches) was to solve the certbot
bootstrapping problem. Nginx won't start without valid certificates,
but certbot can't produce certificates without a functional
nginx. This is solved by generating self-signed certificates to start
with, and then replacing them once certbot has run. Doing this
requires storing certificates in a different location (because certbot
is very particular). I've chosen /etc/certs/.
The other two changes (new to v2 of this series) make things a bit
easier to use: a one-shot shepherd service to renew certificates when
the machine starts up, and a default deploy-hook to reload the nginx
configuration (which picks up the new certificates). I think these
changes make certbot "do the right thing", at the expense of being
slightly more magical.
On IRC podiki suggested I should copy guix-devel and Brice (the
original bug reporter), so I've done that, too.
Carlo Zancanaro (4):
services: certbot: Symlink certificates to /etc/certs.
services: certbot: Create self-signed certificates before certbot
runs.
services: certbot: Add a default deploy hook to reload nginx.
services: certbot: Add one-shot service to renew certificates.
doc/guix.texi | 38 ++++++---
gnu/services/certbot.scm | 178 ++++++++++++++++++++++++++++++++++++---
2 files changed, 188 insertions(+), 28 deletions(-)
base-commit: 144c95032e517bb8ce466b930fe91506bcc92b2b
--
2.41.0
next prev parent reply other threads:[~2024-01-30 13:35 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-06 8:15 Nginx and certbot cervices don't play well togther Brice Waegeneire
2024-01-24 12:18 ` bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run Carlo Zancanaro
2024-01-24 12:18 ` bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-24 12:18 ` bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-24 13:01 ` Carlo Zancanaro
2024-01-29 19:23 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-29 23:02 ` Carlo Zancanaro
2024-01-29 23:19 ` Clément Lassieur
2024-01-29 19:28 ` Clément Lassieur
2024-01-30 13:26 ` Carlo Zancanaro [this message]
2024-01-30 13:26 ` [PATCH v2 0/4] Make certbot play more nicely with nginx Carlo Zancanaro
2024-01-30 14:49 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-30 21:48 ` Carlo Zancanaro
2024-01-31 0:04 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
[not found] ` <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com>
2024-01-30 19:39 ` bug#46961: " Clément Lassieur
2024-04-13 1:17 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-04-14 11:42 ` Carlo Zancanaro
2024-04-14 13:51 ` Carlo Zancanaro
2024-04-14 16:25 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-31 11:46 ` bug#46961: [PATCH v3 " Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook Carlo Zancanaro
2024-01-31 11:46 ` bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 2/4] services: certbot: Create self-signed certificates before certbot runs Carlo Zancanaro
2024-01-30 13:26 ` [PATCH v2 3/4] services: certbot: Add a default deploy hook to reload nginx Carlo Zancanaro
2024-01-31 0:29 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-30 13:26 ` bug#46961: [PATCH v2 4/4] services: certbot: Add one-shot service to renew certificates Carlo Zancanaro
2024-01-30 13:26 ` Carlo Zancanaro
2024-01-31 0:55 ` bug#46961: Nginx and certbot cervices don't play well togther Clément Lassieur
2024-01-31 11:50 ` Carlo Zancanaro
2024-01-31 15:58 ` Clément Lassieur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1706621200.git.carlo@zancanaro.id.au \
--to=carlo@zancanaro.id.au \
--cc=46961@debbugs.gnu.org \
--cc=brice@waegenei.re \
--cc=clement@lassieur.org \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.