From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Lepiller Subject: Renewing certificates with certbot Date: Fri, 22 Feb 2019 14:49:52 +0100 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from eggs.gnu.org ([209.51.188.92]:56360) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gxBDM-0000Np-Jr for guix-devel@gnu.org; Fri, 22 Feb 2019 08:50:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gxBDL-0004J3-9c for guix-devel@gnu.org; Fri, 22 Feb 2019 08:50:08 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:41438) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gxBDK-00040q-EJ for guix-devel@gnu.org; Fri, 22 Feb 2019 08:50:06 -0500 Received: from webmail.lepiller.eu (static-176-182-42-79.ncc.abo.bbox.fr [176.182.42.79]) by lepiller.eu (OpenSMTPD) with ESMTPSA id bb4b80c0 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Fri, 22 Feb 2019 13:49:53 +0000 (UTC) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hi, I use certificates from let's encrypt for my website and mail servers, and found that there was an issue with certificates generated by the certbot service in Guix: the generated private keys are world-readable (in a directory that cannot be accessed by anyone but root, so it's OK I guess). OpenSMTPD is not happy with that though, so I have to chmod the files every time. I came up with a variant of the deploy-hook that's presented in the manual, and I'd like to update the example with it. Here it is: ;; Find running nginx and reload its configuration (for certificates) (define %my-deploy-hook (program-file "my-deploy-hook" #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read)) (cert-dir (getenv "RENEWED_LINEAGE")) (privkey (string-append cert-dir "/privkey.pem"))) ;; certbot private keys are world-readable by default, and smtpd complains ;; about that, refusing to start otherwise (chmod privkey #o600) (kill pid SIGHUP)))) What do you think?