[PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes.

OpenSubmitted by Pierre Langlois.
Details
2 participants
  • Leo Famulari
  • Pierre Langlois
Owner
unassigned
Severity
normal
P
P
Pierre Langlois wrote on 14 Mar 2021 14:08
(name . Guix-patches)(address . guix-patches@gnu.org)
87k0q9c28e.fsf@gmx.com
Hi Guix!

I was recently updating my certbot definition to use a manual DNS
challenge, and I found using the Let's Encrypt staging server along with
the --dry-run option to be really useful. Especially given it can take a
few attempts to correctly build your own hooks.

So I've added the option to set dry-run? in the certificate
configuration, let me know what you think! I've also included a couple
of patches in the series for minor fixes, removing a now deprecated flag
and a small fix in the docs.

Thanks,
Pierre

Pierre Langlois (3):
services: certbot: Remove deprecated --manual-public-ip-logging-ok.
services: certbot: Refer to authentication-hook in documentation.
services: certbot: Add dry-run? certificate option.

doc/guix.texi | 43 ++++++++++++++++++++++++++++++++++++----
gnu/services/certbot.scm | 12 +++++++----
2 files changed, 47 insertions(+), 8 deletions(-)

--
2.30.2
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmBOCrEYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UrW8H/0Y9qqX7dgdEOgzDMIiZRGWg
EPI4Tk0iWJvGYpVm293GTgpFmeo1s1z2IxnHyaglwH/LjhLaLL3NK9MHQHJwTWcd
IalUdCaKPHUpjLuslRe6xNshnroWdQnvjlv/vsCXlInCzhSOmrDfPEkQER6RfxKx
39Zt77GNx9kaP4DRRnETt9Y7qEj8bppJU1x7DcbCt9pEi9YwUvq0HYECoh2dV2ju
tjCnEBXLDb1iZ+V6GOqVVzz0TZ18phk9WBfJndRUK65ym1fjTEadKiVSwXqPCbXE
B93vyvbswjhDawpSMpKyy10xFLs+Vg2W3JcJn7lvL4+SVpsqzVLfeJNnw17q+bQ=
=M9CA
-----END PGP SIGNATURE-----

P
P
Pierre Langlois wrote on 14 Mar 2021 14:15
[PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.
(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
20210314131543.9310-1-pierre.langlois@gmx.com
The --manual-public-ip-logging-ok flag is now a no-op and was deprecated

* gnu/sevices/certbot.scm (certbot-command): Remove
--manual-public-ip-logging-ok when doing a manual challenge.
---
gnu/services/certbot.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (20 lines)
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1cea68fc2a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Pierre Langlois <pierre.langlois@gmx.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -103,7 +104,6 @@
                             "--manual"
                             (string-append "--preferred-challenges=" challenge)
                             "--cert-name" name
-                            "--manual-public-ip-logging-ok"
                             "-d" (string-join domains ","))
                       (if email
                           `("--email" ,email)
--
2.30.2
P
P
Pierre Langlois wrote on 14 Mar 2021 14:15
[PATCH 2/3] services: certbot: Refer to authentication-hook in documentation.
(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
20210314131543.9310-2-pierre.langlois@gmx.com
* doc/guix.texi (Cerfiticate Services): Refer to non-abbreviated
authentication-hook instead of auth-hook.
---
doc/guix.texi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

Toggle diff (19 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 4cf241c56a..ec449b1772 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25651,10 +25651,10 @@ file name of the resource requested when performing an HTTP-01 challenge.

 @item @code{cleanup-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}.  For this command, the shell
-variables available in the @code{auth-hook} script are still available, and
-additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
-of the @code{auth-hook} script.
+have been answered by the @code{authentication-hook}.  For this command,
+the shell variables available in the @code{authentication-hook} script
+are still available, and additionally @code{$CERTBOT_AUTH_OUTPUT} will
+contain the standard output of the @code{authentication-hook} script.

 @item @code{deploy-hook} (default: @code{#f})
 Command to be run in a shell once for each successfully issued
--
2.30.2
P
P
Pierre Langlois wrote on 14 Mar 2021 14:15
[PATCH 3/3] services: certbot: Add dry-run? certificate option.
(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
20210314131543.9310-3-pierre.langlois@gmx.com
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 42 insertions(+), 3 deletions(-)

Toggle diff (88 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.

+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}.  This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them.  It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option.  For example:
+
+@lisp
+(define %authentication-hook
+  (program-file "authentication-hook"
+    #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+            (token (getenv "CERTBOT_TOKEN")))
+        (format #t "Hey, can you authenticate ~a with ~a for me?"
+                domain token))))
+
+(define %cleanup-hook
+  (program-file "authentication-hook"
+    #~(display "Bye")
+
+(service certbot-service-type
+         (certbot-configuration
+          (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+          (certificates
+           (list
+            (certificate-configuration
+              (dry-run? #t)
+              (authentication-hook %authentication-hook)
+              (cleanup-hook %cleanup-hook)
+              (domains '("example.net" "www.example.net")))))))
+@end lisp
+
 @end table
 @end deftp

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
   (cleanup-hook        certificate-cleanup-hook
                        (default #f))
   (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f))
+  (dry-run?            certbot-configuration-dry-run?
                        (default #f)))

 (define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
               (match-lambda
                 (($ <certificate-configuration> custom-name domains challenge
                                                 authentication-hook cleanup-hook
-                                                deploy-hook)
+                                                deploy-hook dry-run?)
                  (let ((name (or custom-name (car domains))))
                    (if challenge
                      (append
@@ -114,7 +116,8 @@
                           `("--manual-auth-hook" ,authentication-hook)
                           '())
                       (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+                      (if dry-run? '("--dry-run")))
                      (append
                       (list name certbot "certonly" "-n" "--agree-tos"
                             "--webroot" "-w" webroot
@@ -125,7 +128,8 @@
                           '("--register-unsafely-without-email"))
                       (if server `("--server" ,server) '())
                       (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+                      (if dry-run? '("--dry-run") '()))))))
               certificates)))
        (program-file
         "certbot-command"
--
2.30.2
P
P
Pierre Langlois wrote on 14 Mar 2021 14:22
Re: [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.
(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
87ft0xc1ke.fsf@gmx.com
Pierre Langlois writes:

Toggle quote (4 lines)
> The --manual-public-ip-logging-ok flag is now a no-op and was deprecated
> https://github.com/certbot/certbot/pull/8381
>
> * gnu/sevices/certbot.scm (certbot-command): Remove
^
|
Oups, I've got a typo here, fixed locally!

Thanks,
Pierre
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmBODhEYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UqisIAKyUih266Bl9DjIfLRrx9yMW
ccybgA6Dy9hkl3fcibZ41b1lMS6zOy/3s4wgvMgl6lcsM77xXHjkjThiIXhjuzzj
jxociBeYIcw1iEbq4M01MdcqgqVgfdOAaLT6os6MOvgDed/KJ6XLmDfq8HODW/Aa
2J6fJP2mfRy6oJEQw0hp/tyuoU2iZalfeSTU5MQ5z34yldMEuD8ShPg55QTzJy90
I9M20/qDsCAI+RXNKuXUnB2Kun9KiLxnzrArSxL4IB83dImOL9O92YUaxhE9imOI
vXCTiFPYUlpcN+WIBsOXrNrSqrI4W3d1rryVZA7Rg20fCxhFs/J9yTg9etHm1qA=
=f4Aq
-----END PGP SIGNATURE-----

P
P
Pierre Langlois wrote on 17 Apr 2021 18:51
Re: [PATCH 3/3] services: certbot: Add dry-run? certificate option.
(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
87blacluql.fsf@gmx.com
Hi all,

Friendly ping on this series :-).

Thanks,
Pierre

Pierre Langlois writes:

Toggle quote (19 lines)
> * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
> (certbot-command): Use it to pass --dry-run to certbot.
> * doc/guix.texi (Certificate Services): Document dry-run? option.
> ---
> doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
> gnu/services/certbot.scm | 10 +++++++---
> 2 files changed, 42 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index ec449b1772..322c717941 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
> contain a space-delimited list of renewed certificate domains (for
> example, @samp{"example.com www.example.com"}.
>
> +@item @code{dry-run?} (default: @code{#f})
> +Communitcate with the ACME server but do not update certificates nor

note-to-self, typo here: Communicate

Toggle quote (78 lines)
> +trigger @code{deploy-hook}. This is useful as a temporary setting to
> +test the challenge procedure, especially the @code{authentication-hook}
> +and @code{cleanup-hook} while working on them. It's also a good idea to
> +use Let's Encrypt's staging server at
> +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
> +testing, which allows for higher rate limits, but with which
> +@code{certbot} will helpfully refuse to update certificates and
> +recommend the @code{dry-run?} option. For example:
> +
> +@lisp
> +(define %authentication-hook
> + (program-file "authentication-hook"
> + #~(let ((domain (getenv "CERTBOT_DOMAIN"))
> + (token (getenv "CERTBOT_TOKEN")))
> + (format #t "Hey, can you authenticate ~a with ~a for me?"
> + domain token))))
> +
> +(define %cleanup-hook
> + (program-file "authentication-hook"
> + #~(display "Bye")
> +
> +(service certbot-service-type
> + (certbot-configuration
> + (server "https://acme-staging-v02.api.letsencrypt.org/directory")
> + (certificates
> + (list
> + (certificate-configuration
> + (dry-run? #t)
> + (authentication-hook %authentication-hook)
> + (cleanup-hook %cleanup-hook)
> + (domains '("example.net" "www.example.net")))))))
> +@end lisp
> +
> @end table
> @end deftp
>
> diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
> index 1cea68fc2a..15274cf0ed 100644
> --- a/gnu/services/certbot.scm
> +++ b/gnu/services/certbot.scm
> @@ -61,6 +61,8 @@
> (cleanup-hook certificate-cleanup-hook
> (default #f))
> (deploy-hook certificate-configuration-deploy-hook
> + (default #f))
> + (dry-run? certbot-configuration-dry-run?
> (default #f)))
>
> (define-record-type* <certbot-configuration>
> @@ -96,7 +98,7 @@
> (match-lambda
> (($ <certificate-configuration> custom-name domains challenge
> authentication-hook cleanup-hook
> - deploy-hook)
> + deploy-hook dry-run?)
> (let ((name (or custom-name (car domains))))
> (if challenge
> (append
> @@ -114,7 +116,8 @@
> `("--manual-auth-hook" ,authentication-hook)
> '())
> (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
> - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
> + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> + (if dry-run? '("--dry-run")))
> (append
> (list name certbot "certonly" "-n" "--agree-tos"
> "--webroot" "-w" webroot
> @@ -125,7 +128,8 @@
> '("--register-unsafely-without-email"))
> (if server `("--server" ,server) '())
> (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
> - (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
> + (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> + (if dry-run? '("--dry-run") '()))))))
> certificates)))
> (program-file
> "certbot-command"
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmB7EiIYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31URn0H/jzvrCTtinIasaCpaG00f6st
f5BGaNO2gKLeHHf8rze1gKaA7Sb8cG3FxnRDwGfIV97pN4rhPQzDLOFfseLQ//ZE
mQOS5hdCLu88jJVm/FACXg+6K+ZWCaRdmI3IKvWOluRWrpljXUkFL3Id6Pm7I5sV
bSIGkHVkwqbr5njMKRdVOcFZV15SiBVTbl14jh1tHT0/jvncLw7MyLuYypUt0FmO
SYxHoVEz9HAdVCell3gWcO5Qj+sCuJEI3JVV7dPxm3iSStBLv6m95Q1f7l55TCI2
XUK0630vJJdBg1bS6mBvB6JJtaNv/XXXoJUy0dsb9aJvZpMl6/grnamBiFQHTSg=
=b8V1
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 17 Apr 2021 19:38
Re: [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.
(name . Pierre Langlois)(address . pierre.langlois@gmx.com)(address . 47136@debbugs.gnu.org)
YHsdItiKkIZK5Rzo@jasmine.lan
On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
Toggle quote (4 lines)
> Hi all,
>
> Friendly ping on this series :-).

Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
means no changes to the manual or other translatable parts of Guix until
then.
P
P
Pierre Langlois wrote on 17 Apr 2021 20:05
(name . Leo Famulari)(address . leo@famulari.name)
878s5glrch.fsf@gmx.com
Hi Leo,

Leo Famulari writes:

Toggle quote (9 lines)
> On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:
>> Hi all,
>>
>> Friendly ping on this series :-).
>
> Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
> means no changes to the manual or other translatable parts of Guix until
> then.

Aaah I see, thanks for the info!

Pierre
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmB7I08YHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UBRQIAJTNaHP/E4hZNcnyJzeFRLIA
s0OA2g4V07YBIfFmOCWIX2Bw++pZQAjv/Fg9d+0kqAzMHBlcunm/lRZ/qfl7OSgM
jlYshqicl2xOqZrbzBIHyKOcWS6eH7Or3zmwTmVL4qaCCsThyibo1ij7RdmolhNJ
3nKg8lMOcRXcnf0rafEudE5CGNWOvK9mgWIbZ+uCRQ7GG5l3UNwNGVkqW/CBB4R7
qOL4Sp5W55G1GkwQNy4lRLCwZ7yw2ESDaLKv2+sTT3lBVjHf7EXMwaSSR0Qb4XEp
8ZeqiDF0BpOWwKMRnPoE+/qQX6aJu37S8OS+HH3vZw/MNxibc5iEN9B3mn8m7IY=
=gl9s
-----END PGP SIGNATURE-----

?