From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id GBpICAz7uGVYCgEAqHPOHw:P1 (envelope-from ) for ; Tue, 30 Jan 2024 14:35:08 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id GBpICAz7uGVYCgEAqHPOHw (envelope-from ) for ; Tue, 30 Jan 2024 14:35:08 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=PuBpNEkx; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706621708; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=6PJHct0hoFmSGXbbr6e+/CnuqgTTgnRidsFK81/9tjQ=; b=bK9BWBwTQ0dhLP2IenhzvMDtb6eOy1JVLAO9nyXNVrk93CklsB2JFwFqqAgsfYj8jYQToW HdB+Qa+FKgUKKTrlpkqmgeJr2AJheundk3eun3E16KBirw1Xy5TJzeEiiAnGwvGpDRnto+ Ptcr1gDdgxFWldOVwVqgmVg9Lj4QmCCI5K0wAglti5XOk78HbQ0PBQpaRWuf+GtB1K56Om 2+2G81Gt67FH6nZ6FbniMssjP77DzD8dF3hpbPAsdjrhcDCmKmywyffzYXgQWuIhUlP8AQ rj37YjnnYr1iq1OERm641R5oVYoHeqb2npCCGyhEzqXMg3c1ixOdp2luFzjLaA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zancanaro.id.au header.s=k1 header.b=PuBpNEkx; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=zancanaro.id.au ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706621708; a=rsa-sha256; cv=none; b=Fd/0s8gYNCj09+VUsWGgA0/ksVhA4H4cGi+UVI2PobyhJDc9jmswPsTmIdVwSCnLxNCDPA Qmxh5BMCNTVzr8KauwLLeZiNqVajDkBuwJnaFta+AotyAmDuQzOg7ZlEmU/JishAxc8SWz fjghz4n0R3QJI9dYJYF0T69xaSgZMGmOsBuDzYW91IzLEZKeBHMX4FtyOtqq+N5DEfcii/ GmJTSBA6GyKiIFtqxsP2BUJfKcpXLAYW3oqhRmojGNnX05T0aHfMUvDQnBSkP+BZ2O2xOW cE6ccO4nlzCt5j3S/VozkU2uGgb6dFiHVXM/HTwZ74sfFAg/WpkXUz0KSQXZfQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8B2BC3DFC9 for ; Tue, 30 Jan 2024 14:35:07 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rUoFS-0007Ps-6F; Tue, 30 Jan 2024 08:33:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUoFL-0007Ok-6I for guix-devel@gnu.org; Tue, 30 Jan 2024 08:33:54 -0500 Received: from voltorb.zancanaro.id.au ([45.77.50.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rUoFI-0006Bh-JU for guix-devel@gnu.org; Tue, 30 Jan 2024 08:33:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; bh=6PJHct0hoFmSGXb br6e+/CnuqgTTgnRidsFK81/9tjQ=; h=references:in-reply-to:date:subject: cc:to:from; d=zancanaro.id.au; b=PuBpNEkxJA0RsvB13NA2sVNaJCL9ThbLE2M6o QVj2VVp4XvT35p6+JnamxfTmbp/dvRxiBBPXnf1nWoIOUS11BpuPpCbD+jAfYgRekod2r3 xUU4FF2WU1ehxUtaWLyqQF+VJhK3D7H0NEZ80Z/pYXkNJtHCEPDbtHwMQ4XThiiI= Received: by voltorb.zancanaro.id.au (OpenSMTPD) with ESMTPSA id e67d731a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 30 Jan 2024 13:33:27 +0000 (UTC) From: Carlo Zancanaro To: 46961@debbugs.gnu.org Cc: clement@lassieur.org, brice@waegenei.re, guix-devel@gnu.org Subject: [PATCH v2 2/4] services: certbot: Create self-signed certificates before certbot runs. Date: Tue, 30 Jan 2024 13:26:38 +0000 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=45.77.50.64; envelope-from=carlo@zancanaro.id.au; helo=voltorb.zancanaro.id.au X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -8.66 X-Migadu-Queue-Id: 8B2BC3DFC9 X-Spam-Score: -8.66 X-Migadu-Scanner: mx11.migadu.com X-TUID: pYKnsOY3flCA * gnu/services/certbot.scm (): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. Change-Id: Icfd85ae0c3e29324acbcde6ba283546cf0e27a1d --- doc/guix.texi | 6 ++++ gnu/services/certbot.scm | 62 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b134d45a16..58a65fe0b7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32690,6 +32690,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 3926d0551a..10b99f5630 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -35,6 +35,7 @@ (define-module (gnu services certbot) #:use-module (guix records) #:use-module (guix gexp) #:use-module (srfi srfi-1) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:export (certbot-service-type certbot-configuration @@ -64,7 +65,9 @@ (define-record-type* (cleanup-hook certificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* certbot-configuration make-certbot-configuration @@ -91,7 +94,10 @@ (define-record-type* (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +114,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -184,6 +191,47 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config)))) +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda + (($ name (primary-domain other-domains ...) + challenge + csr authentication-hook + cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append + "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" + other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain)))) + #~(when (not (file-exists? #$directory)) + ;; We generate self-signed certificates in /etc/certs/{domain}, + ;; because certbot is very sensitive to its directory + ;; structure. It refuses to write over the top of existing files, + ;; so we need to use a directory outside of its control. + ;; + ;; These certificates are overwritten by the certbot deploy hook + ;; the first time it successfully obtains a letsencrypt-signed + ;; certificate. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject + #$@(if alt-names + (list "-addext" alt-names) + (list)))))))) + (define (certbot-activation config) (let* ((certbot-directory "/var/lib/certbot") (certbot-cert-directory "/etc/letsencrypt/live") @@ -198,6 +246,14 @@ (define (certbot-activation config) (mkdir-p #$webroot) (mkdir-p #$certbot-directory) (mkdir-p #$certbot-cert-directory) + + #$@(let ((rsa-key-size (and rsa-key-size + (number->string rsa-key-size)))) + (map (generate-certificate-gexp certbot-cert-directory + rsa-key-size) + (filter certificate-configuration-start-self-signed? + certificates))) + (copy-file #$(certbot-command config) #$script) (display #$message))))))) -- 2.41.0