* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 42 insertions(+), 3 deletions(-)
Toggle diff (88 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}. This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them. It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option. For example:
+(define %authentication-hook
+ (program-file "authentication-hook"
+ #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+ (token (getenv "CERTBOT_TOKEN")))
+ (format #t "Hey, can you authenticate ~a with ~a for me?"
+ (program-file "authentication-hook"
+(service certbot-service-type
+ (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+ (certificate-configuration
+ (authentication-hook %authentication-hook)
+ (cleanup-hook %cleanup-hook)
+ (domains '("example.net" "www.example.net")))))))
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
(cleanup-hook certificate-cleanup-hook
(deploy-hook certificate-configuration-deploy-hook
+ (dry-run? certbot-configuration-dry-run?
(define-record-type* <certbot-configuration>
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
(let ((name (or custom-name (car domains))))
`("--manual-auth-hook" ,authentication-hook)
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run")))
(list name certbot "certonly" "-n" "--agree-tos"
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run") '()))))))