GNU bug report logs -
#47136
[PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes.
Previous Next
To reply to this bug, email your comments to 47136 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sun, 14 Mar 2021 13:09:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Pierre Langlois <pierre.langlois <at> gmx.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 14 Mar 2021 13:09:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Guix!
I was recently updating my certbot definition to use a manual DNS
challenge, and I found using the Let's Encrypt staging server along with
the --dry-run option to be really useful. Especially given it can take a
few attempts to correctly build your own hooks.
So I've added the option to set dry-run? in the certificate
configuration, let me know what you think! I've also included a couple
of patches in the series for minor fixes, removing a now deprecated flag
and a small fix in the docs.
Thanks,
Pierre
Pierre Langlois (3):
services: certbot: Remove deprecated --manual-public-ip-logging-ok.
services: certbot: Refer to authentication-hook in documentation.
services: certbot: Add dry-run? certificate option.
doc/guix.texi | 43 ++++++++++++++++++++++++++++++++++++----
gnu/services/certbot.scm | 12 +++++++----
2 files changed, 47 insertions(+), 8 deletions(-)
--
2.30.2
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sun, 14 Mar 2021 13:16:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 47136 <at> debbugs.gnu.org (full text, mbox):
The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
https://github.com/certbot/certbot/pull/8381
* gnu/sevices/certbot.scm (certbot-command): Remove
--manual-public-ip-logging-ok when doing a manual challenge.
---
gnu/services/certbot.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1cea68fc2a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2019 Julien Lepiller <julien <at> lepiller.eu>
;;; Copyright © 2020 Jack Hill <jackhill <at> jackhill.us>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
+;;; Copyright © 2021 Pierre Langlois <pierre.langlois <at> gmx.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -103,7 +104,6 @@
"--manual"
(string-append "--preferred-challenges=" challenge)
"--cert-name" name
- "--manual-public-ip-logging-ok"
"-d" (string-join domains ","))
(if email
`("--email" ,email)
--
2.30.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sun, 14 Mar 2021 13:17:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 47136 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Cerfiticate Services): Refer to non-abbreviated
authentication-hook instead of auth-hook.
---
doc/guix.texi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 4cf241c56a..ec449b1772 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25651,10 +25651,10 @@ file name of the resource requested when performing an HTTP-01 challenge.
@item @code{cleanup-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}. For this command, the shell
-variables available in the @code{auth-hook} script are still available, and
-additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
-of the @code{auth-hook} script.
+have been answered by the @code{authentication-hook}. For this command,
+the shell variables available in the @code{authentication-hook} script
+are still available, and additionally @code{$CERTBOT_AUTH_OUTPUT} will
+contain the standard output of the @code{authentication-hook} script.
@item @code{deploy-hook} (default: @code{#f})
Command to be run in a shell once for each successfully issued
--
2.30.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sun, 14 Mar 2021 13:17:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 47136 <at> debbugs.gnu.org (full text, mbox):
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}. This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them. It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option. For example:
+
+@lisp
+(define %authentication-hook
+ (program-file "authentication-hook"
+ #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+ (token (getenv "CERTBOT_TOKEN")))
+ (format #t "Hey, can you authenticate ~a with ~a for me?"
+ domain token))))
+
+(define %cleanup-hook
+ (program-file "authentication-hook"
+ #~(display "Bye")
+
+(service certbot-service-type
+ (certbot-configuration
+ (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+ (certificates
+ (list
+ (certificate-configuration
+ (dry-run? #t)
+ (authentication-hook %authentication-hook)
+ (cleanup-hook %cleanup-hook)
+ (domains '("example.net" "www.example.net")))))))
+@end lisp
+
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
(cleanup-hook certificate-cleanup-hook
(default #f))
(deploy-hook certificate-configuration-deploy-hook
+ (default #f))
+ (dry-run? certbot-configuration-dry-run?
(default #f)))
(define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
- deploy-hook)
+ deploy-hook dry-run?)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -114,7 +116,8 @@
`("--manual-auth-hook" ,authentication-hook)
'())
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run")))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"--webroot" "-w" webroot
@@ -125,7 +128,8 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run") '()))))))
certificates)))
(program-file
"certbot-command"
--
2.30.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sun, 14 Mar 2021 13:23:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 47136 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Pierre Langlois writes:
> The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
> https://github.com/certbot/certbot/pull/8381
>
> * gnu/sevices/certbot.scm (certbot-command): Remove
^
|
Oups, I've got a typo here, fixed locally!
Thanks,
Pierre
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sat, 17 Apr 2021 16:52:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 47136 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi all,
Friendly ping on this series :-).
Thanks,
Pierre
Pierre Langlois writes:
> * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
> (certbot-command): Use it to pass --dry-run to certbot.
> * doc/guix.texi (Certificate Services): Document dry-run? option.
> ---
> doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
> gnu/services/certbot.scm | 10 +++++++---
> 2 files changed, 42 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index ec449b1772..322c717941 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
> contain a space-delimited list of renewed certificate domains (for
> example, @samp{"example.com www.example.com"}.
>
> +@item @code{dry-run?} (default: @code{#f})
> +Communitcate with the ACME server but do not update certificates nor
note-to-self, typo here: Communicate
> +trigger @code{deploy-hook}. This is useful as a temporary setting to
> +test the challenge procedure, especially the @code{authentication-hook}
> +and @code{cleanup-hook} while working on them. It's also a good idea to
> +use Let's Encrypt's staging server at
> +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
> +testing, which allows for higher rate limits, but with which
> +@code{certbot} will helpfully refuse to update certificates and
> +recommend the @code{dry-run?} option. For example:
> +
> +@lisp
> +(define %authentication-hook
> + (program-file "authentication-hook"
> + #~(let ((domain (getenv "CERTBOT_DOMAIN"))
> + (token (getenv "CERTBOT_TOKEN")))
> + (format #t "Hey, can you authenticate ~a with ~a for me?"
> + domain token))))
> +
> +(define %cleanup-hook
> + (program-file "authentication-hook"
> + #~(display "Bye")
> +
> +(service certbot-service-type
> + (certbot-configuration
> + (server "https://acme-staging-v02.api.letsencrypt.org/directory")
> + (certificates
> + (list
> + (certificate-configuration
> + (dry-run? #t)
> + (authentication-hook %authentication-hook)
> + (cleanup-hook %cleanup-hook)
> + (domains '("example.net" "www.example.net")))))))
> +@end lisp
> +
> @end table
> @end deftp
>
> diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
> index 1cea68fc2a..15274cf0ed 100644
> --- a/gnu/services/certbot.scm
> +++ b/gnu/services/certbot.scm
> @@ -61,6 +61,8 @@
> (cleanup-hook certificate-cleanup-hook
> (default #f))
> (deploy-hook certificate-configuration-deploy-hook
> + (default #f))
> + (dry-run? certbot-configuration-dry-run?
> (default #f)))
>
> (define-record-type* <certbot-configuration>
> @@ -96,7 +98,7 @@
> (match-lambda
> (($ <certificate-configuration> custom-name domains challenge
> authentication-hook cleanup-hook
> - deploy-hook)
> + deploy-hook dry-run?)
> (let ((name (or custom-name (car domains))))
> (if challenge
> (append
> @@ -114,7 +116,8 @@
> `("--manual-auth-hook" ,authentication-hook)
> '())
> (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
> - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
> + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> + (if dry-run? '("--dry-run")))
> (append
> (list name certbot "certonly" "-n" "--agree-tos"
> "--webroot" "-w" webroot
> @@ -125,7 +128,8 @@
> '("--register-unsafely-without-email"))
> (if server `("--server" ,server) '())
> (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
> - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
> + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> + (if dry-run? '("--dry-run") '()))))))
> certificates)))
> (program-file
> "certbot-command"
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sat, 17 Apr 2021 17:39:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 47136 <at> debbugs.gnu.org (full text, mbox):
On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
> Hi all,
>
> Friendly ping on this series :-).
Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
means no changes to the manual or other translatable parts of Guix until
then.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47136; Package
guix-patches.
(Sat, 17 Apr 2021 18:06:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 47136 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Leo,
Leo Famulari writes:
> On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
>> Hi all,
>>
>> Friendly ping on this series :-).
>
> Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
> means no changes to the manual or other translatable parts of Guix until
> then.
Aaah I see, thanks for the info!
Pierre
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 3 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.