[PATCH 0/3] services: certbot: Add dry-run? option and a couple of other minor fixes.

Open

Details

2 participants

Leo Famulari
Pierre Langlois

Owner: unassigned

Submitted by: Pierre Langlois

Severity: normal

Pierre Langlois wrote on 14 Mar 2021 14:08

Recipients:(name . Guix-patches)(address . guix-patches@gnu.org)

Message-ID:87k0q9c28e.fsf@gmx.com

Hi Guix!

I was recently updating my certbot definition to use a manual DNS

challenge, and I found using the Let's Encrypt staging server along with

the --dry-run option to be really useful. Especially given it can take a

few attempts to correctly build your own hooks.

So I've added the option to set dry-run? in the certificate

configuration, let me know what you think! I've also included a couple

of patches in the series for minor fixes, removing a now deprecated flag

and a small fix in the docs.

Thanks,

Pierre

Pierre Langlois (3):

services: certbot: Remove deprecated --manual-public-ip-logging-ok.

services: certbot: Refer to authentication-hook in documentation.

services: certbot: Add dry-run? certificate option.

doc/guix.texi | 43 ++++++++++++++++++++++++++++++++++++----

gnu/services/certbot.scm | 12 +++++++----

2 files changed, 47 insertions(+), 8 deletions(-)

2.30.2

Pierre Langlois wrote on 14 Mar 2021 14:15

[PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.

Recipients:(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)

Message-ID:20210314131543.9310-1-pierre.langlois@gmx.com

The --manual-public-ip-logging-ok flag is now a no-op and was deprecated

https://github.com/certbot/certbot/pull/8381

* gnu/sevices/certbot.scm (certbot-command): Remove

--manual-public-ip-logging-ok when doing a manual challenge.

---

gnu/services/certbot.scm | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (20 lines)diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1cea68fc2a 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Pierre Langlois <pierre.langlois@gmx.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -103,7 +104,6 @@
                             "--manual"
                             (string-append "--preferred-challenges=" challenge)
                             "--cert-name" name
-                            "--manual-public-ip-logging-ok"
                             "-d" (string-join domains ","))
                       (if email
                           `("--email" ,email)

2.30.2

Pierre Langlois wrote on 14 Mar 2021 14:15

[PATCH 2/3] services: certbot: Refer to authentication-hook in documentation.

Recipients:(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)

Message-ID:20210314131543.9310-2-pierre.langlois@gmx.com

* doc/guix.texi (Cerfiticate Services): Refer to non-abbreviated
authentication-hook instead of auth-hook.
---
 doc/guix.texi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Toggle diff (19 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index 4cf241c56a..ec449b1772 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25651,10 +25651,10 @@ file name of the resource requested when performing an HTTP-01 challenge.

 @item @code{cleanup-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge that
-have been answered by the @code{auth-hook}.  For this command, the shell
-variables available in the @code{auth-hook} script are still available, and
-additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
-of the @code{auth-hook} script.
+have been answered by the @code{authentication-hook}.  For this command,
+the shell variables available in the @code{authentication-hook} script
+are still available, and additionally @code{$CERTBOT_AUTH_OUTPUT} will
+contain the standard output of the @code{authentication-hook} script.

 @item @code{deploy-hook} (default: @code{#f})
 Command to be run in a shell once for each successfully issued

2.30.2

Pierre Langlois wrote on 14 Mar 2021 14:15

[PATCH 3/3] services: certbot: Add dry-run? certificate option.

Recipients:(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)

Message-ID:20210314131543.9310-3-pierre.langlois@gmx.com

* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
 doc/guix.texi            | 35 +++++++++++++++++++++++++++++++++++
 gnu/services/certbot.scm | 10 +++++++---
 2 files changed, 42 insertions(+), 3 deletions(-)

Toggle diff (88 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.

+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}.  This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them.  It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option.  For example:
+
+@lisp
+(define %authentication-hook
+  (program-file "authentication-hook"
+    #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+            (token (getenv "CERTBOT_TOKEN")))
+        (format #t "Hey, can you authenticate ~a with ~a for me?"
+                domain token))))
+
+(define %cleanup-hook
+  (program-file "authentication-hook"
+    #~(display "Bye")
+
+(service certbot-service-type
+         (certbot-configuration
+          (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+          (certificates
+           (list
+            (certificate-configuration
+              (dry-run? #t)
+              (authentication-hook %authentication-hook)
+              (cleanup-hook %cleanup-hook)
+              (domains '("example.net" "www.example.net")))))))
+@end lisp
+
 @end table
 @end deftp

diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
   (cleanup-hook        certificate-cleanup-hook
                        (default #f))
   (deploy-hook         certificate-configuration-deploy-hook
+                       (default #f))
+  (dry-run?            certbot-configuration-dry-run?
                        (default #f)))

 (define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
               (match-lambda
                 (($ <certificate-configuration> custom-name domains challenge
                                                 authentication-hook cleanup-hook
-                                                deploy-hook)
+                                                deploy-hook dry-run?)
                  (let ((name (or custom-name (car domains))))
                    (if challenge
                      (append
@@ -114,7 +116,8 @@
                           `("--manual-auth-hook" ,authentication-hook)
                           '())
                       (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+                      (if dry-run? '("--dry-run")))
                      (append
                       (list name certbot "certonly" "-n" "--agree-tos"
                             "--webroot" "-w" webroot
@@ -125,7 +128,8 @@
                           '("--register-unsafely-without-email"))
                       (if server `("--server" ,server) '())
                       (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+                      (if dry-run? '("--dry-run") '()))))))
               certificates)))
        (program-file
         "certbot-command"

2.30.2

Pierre Langlois wrote on 14 Mar 2021 14:22

Re: [PATCH 1/3] services: certbot: Remove deprecated --manual-public-ip-logging-ok.

Recipients:(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)

Message-ID:87ft0xc1ke.fsf@gmx.com

Pierre Langlois writes:

Toggle quote (4 lines)

> The --manual-public-ip-logging-ok flag is now a no-op and was deprecated

> https://github.com/certbot/certbot/pull/8381

> * gnu/sevices/certbot.scm (certbot-command): Remove

          ^
          |
Oups, I've got a typo here, fixed locally!

Thanks,
Pierre

Pierre Langlois wrote on 17 Apr 2021 18:51

Re: [PATCH 3/3] services: certbot: Add dry-run? certificate option.

Recipients:(address . 47136@debbugs.gnu.org)(name . Pierre Langlois)(address . pierre.langlois@gmx.com)

Message-ID:87blacluql.fsf@gmx.com

Hi all,

Friendly ping on this series :-).

Thanks,

Pierre

Pierre Langlois writes:

Toggle quote (19 lines)> * gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
> (certbot-command): Use it to pass --dry-run to certbot.
> * doc/guix.texi (Certificate Services): Document dry-run? option.
> ---
>  doc/guix.texi            | 35 +++++++++++++++++++++++++++++++++++
>  gnu/services/certbot.scm | 10 +++++++---
>  2 files changed, 42 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index ec449b1772..322c717941 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25665,6 +25665,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
>  contain a space-delimited list of renewed certificate domains (for
>  example, @samp{"example.com www.example.com"}.
>
> +@item @code{dry-run?} (default: @code{#f})
> +Communitcate with the ACME server but do not update certificates nor

note-to-self, typo here: Communicate

Toggle quote (78 lines)> +trigger @code{deploy-hook}.  This is useful as a temporary setting to
> +test the challenge procedure, especially the @code{authentication-hook}
> +and @code{cleanup-hook} while working on them.  It's also a good idea to
> +use Let's Encrypt's staging server at
> +@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
> +testing, which allows for higher rate limits, but with which
> +@code{certbot} will helpfully refuse to update certificates and
> +recommend the @code{dry-run?} option.  For example:
> +
> +@lisp
> +(define %authentication-hook
> +  (program-file "authentication-hook"
> +    #~(let ((domain (getenv "CERTBOT_DOMAIN"))
> +            (token (getenv "CERTBOT_TOKEN")))
> +        (format #t "Hey, can you authenticate ~a with ~a for me?"
> +                domain token))))
> +
> +(define %cleanup-hook
> +  (program-file "authentication-hook"
> +    #~(display "Bye")
> +
> +(service certbot-service-type
> +         (certbot-configuration
> +          (server "https://acme-staging-v02.api.letsencrypt.org/directory")
> +          (certificates
> +           (list
> +            (certificate-configuration
> +              (dry-run? #t)
> +              (authentication-hook %authentication-hook)
> +              (cleanup-hook %cleanup-hook)
> +              (domains '("example.net" "www.example.net")))))))
> +@end lisp
> +
>  @end table
>  @end deftp
>
> diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
> index 1cea68fc2a..15274cf0ed 100644
> --- a/gnu/services/certbot.scm
> +++ b/gnu/services/certbot.scm
> @@ -61,6 +61,8 @@
>    (cleanup-hook        certificate-cleanup-hook
>                         (default #f))
>    (deploy-hook         certificate-configuration-deploy-hook
> +                       (default #f))
> +  (dry-run?            certbot-configuration-dry-run?
>                         (default #f)))
>
>  (define-record-type* <certbot-configuration>
> @@ -96,7 +98,7 @@
>                (match-lambda
>                  (($ <certificate-configuration> custom-name domains challenge
>                                                  authentication-hook cleanup-hook
> -                                                deploy-hook)
> +                                                deploy-hook dry-run?)
>                   (let ((name (or custom-name (car domains))))
>                     (if challenge
>                       (append
> @@ -114,7 +116,8 @@
>                            `("--manual-auth-hook" ,authentication-hook)
>                            '())
>                        (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
> -                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
> +                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> +                      (if dry-run? '("--dry-run")))
>                       (append
>                        (list name certbot "certonly" "-n" "--agree-tos"
>                              "--webroot" "-w" webroot
> @@ -125,7 +128,8 @@
>                            '("--register-unsafely-without-email"))
>                        (if server `("--server" ,server) '())
>                        (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
> -                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
> +                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
> +                      (if dry-run? '("--dry-run") '()))))))
>                certificates)))
>         (program-file
>          "certbot-command"

Leo Famulari wrote on 17 Apr 2021 19:38

Re: [bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option.

Recipients:(name . Pierre Langlois)(address . pierre.langlois@gmx.com)(address . 47136@debbugs.gnu.org)

Message-ID:YHsdItiKkIZK5Rzo@jasmine.lan

On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:

Toggle quote (4 lines)

> Hi all,

> Friendly ping on this series :-).

Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This
means no changes to the manual or other translatable parts of Guix until
then.

Pierre Langlois wrote on 17 Apr 2021 20:05

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:878s5glrch.fsf@gmx.com

Hi Leo,

Leo Famulari writes:

Toggle quote (9 lines)

> On Sat, Apr 17, 2021 at 05:51:46PM +0100, Pierre Langlois wrote:

>> Hi all,

>> Friendly ping on this series :-).

> Just FYI, we are in "string freeze" until Guix 1.2.1 is released. This

> means no changes to the manual or other translatable parts of Guix until

> then.

Aaah I see, thanks for the info!

Pierre

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47136@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47136

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date