[PATCH v1] services: certbot: Add option to use CSR file.

  • Done
  • quality assurance status badge
Details
3 participants
  • Jonathan Brielmaier
  • Maxime Devos
  • Raghav Gururajan
Owner
unassigned
Submitted by
Raghav Gururajan
Severity
normal
R
R
Raghav Gururajan wrote on 24 Jun 2021 20:51
(address . guix-patches@gnu.org)(name . Raghav Gururajan)(address . rg@raghavgururajan.name)
20210624185111.5959-1-rg@raghavgururajan.name
* gnu/services/certbot.scm (<certificate-configuration>): Add csr field.
(certbot-command): Modify.
* doc/guix.texi (Certificate Services): Document it.
---
doc/guix.texi | 6 ++++++
gnu/services/certbot.scm | 6 +++++-
2 files changed, 11 insertions(+), 1 deletion(-)

Toggle diff (57 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 15e8999447..689d6498a9 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25934,6 +25934,12 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
and gives Let's Encrypt permission to log the public IP address of the
requesting machine.
+@item @code{csr} (default: @code{#f})
+Path to a Certificate Signing Request (CSR) in DER or PEM format. If @code{#f}
+is specified, this argument will not be passed to certbot. If a value is passed,
+certbot uses it to obtain certificate, instead of using randomly generated
+private-key.
+
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..9a3822a679 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -55,6 +55,8 @@
(default '()))
(challenge certificate-configuration-challenge
(default #f))
+ (csr certificate-configuration-csr
+ (default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
@@ -95,7 +97,7 @@
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
- deploy-hook)
+ deploy-hook csr)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -110,6 +112,7 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if csr `("--csr" ,csr) '())
(if authentication-hook
`("--manual-auth-hook" ,authentication-hook)
'())
@@ -125,6 +128,7 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if csr `("--csr" ,csr) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
certificates)))
(program-file
--
2.32.0
R
R
Raghav Gururajan wrote on 24 Jun 2021 21:18
[PATCH v2] services: certbot: Add option to use CSR file.
(address . 49213@debbugs.gnu.org)(name . Raghav Gururajan)(address . rg@raghavgururajan.name)
20210624191837.6615-1-rg@raghavgururajan.name
* gnu/services/certbot.scm (<certificate-configuration>): Add csr field.
(certbot-command): Modify.
* doc/guix.texi (Certificate Services): Document it.
---
doc/guix.texi | 7 +++++++
gnu/services/certbot.scm | 6 +++++-
2 files changed, 12 insertions(+), 1 deletion(-)

Toggle diff (65 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 15e8999447..fce72a9fb5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -91,6 +91,7 @@ Copyright @copyright{} 2020 Edgar Vincent@*
Copyright @copyright{} 2021 Maxime Devos@*
Copyright @copyright{} 2021 B. Wilson@*
Copyright @copyright{} 2021 Xinglu Chen@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -25934,6 +25935,12 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
and gives Let's Encrypt permission to log the public IP address of the
requesting machine.
+@item @code{csr} (default: @code{#f})
+File name of Certificate Signing Request (CSR) in DER or PEM format.
+If @code{#f} is specified, this argument will not be passed to certbot.
+If a value is provided, certbot will use it to obtain a certificate, instead of
+using a randomly-generated CSR.
+
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..c73142ca81 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -55,6 +55,8 @@
(default '()))
(challenge certificate-configuration-challenge
(default #f))
+ (csr certificate-configuration-csr
+ (default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
@@ -95,7 +97,7 @@
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
- deploy-hook)
+ deploy-hook csr)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -110,6 +112,7 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if csr `("--csr" ,csr) '())
(if authentication-hook
`("--manual-auth-hook" ,authentication-hook)
'())
@@ -125,6 +128,7 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if csr `("--csr" ,csr) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
certificates)))
(program-file
--
2.32.0
R
R
Raghav Gururajan wrote on 24 Jun 2021 23:58
[PATCH v3] services: certbot: Add option to use CSR file.
(address . 49213@debbugs.gnu.org)(name . Raghav Gururajan)(address . rg@raghavgururajan.name)
20210624215806.11185-1-rg@raghavgururajan.name
* gnu/services/certbot.scm (<certificate-configuration>): Add csr field.
(certbot-command): Modify.
* doc/guix.texi (Certificate Services): Document it.
---
doc/guix.texi | 9 +++++++++
gnu/services/certbot.scm | 8 ++++++--
2 files changed, 15 insertions(+), 2 deletions(-)

Toggle diff (69 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 15e8999447..560d7af83f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -91,6 +91,7 @@ Copyright @copyright{} 2020 Edgar Vincent@*
Copyright @copyright{} 2021 Maxime Devos@*
Copyright @copyright{} 2021 B. Wilson@*
Copyright @copyright{} 2021 Xinglu Chen@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -25934,6 +25935,14 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
and gives Let's Encrypt permission to log the public IP address of the
requesting machine.
+@item @code{csr} (default: @code{#f})
+File name of Certificate Signing Request (CSR) in DER or PEM format.
+If @code{#f} is specified, this argument will not be passed to certbot.
+If a value is specified, certbot will use it to obtain a certificate, instead of
+using a self-generated CSR.
+The domain-name(s) mentioned in @code{domains}, must be consistent with the
+domain-name(s) mentioned in CSR file.
+
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..85eff58379 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -55,6 +55,8 @@
(default '()))
(challenge certificate-configuration-challenge
(default #f))
+ (csr certificate-configuration-csr
+ (default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
@@ -94,8 +96,8 @@
(map
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
- authentication-hook cleanup-hook
- deploy-hook)
+ csr authentication-hook
+ cleanup-hook deploy-hook)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -105,6 +107,7 @@
"--cert-name" name
"--manual-public-ip-logging-ok"
"-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
(if email
`("--email" ,email)
'("--register-unsafely-without-email"))
@@ -120,6 +123,7 @@
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
(if email
`("--email" ,email)
'("--register-unsafely-without-email"))
--
2.32.0
R
R
Raghav Gururajan wrote on 24 Jun 2021 23:59
[PATCH v4] services: certbot: Add option to use CSR file.
(address . 49213@debbugs.gnu.org)(name . Raghav Gururajan)(address . rg@raghavgururajan.name)
20210624215954.11287-1-rg@raghavgururajan.name
* gnu/services/certbot.scm (<certificate-configuration>): Add csr field.
(certbot-command): Modify.
* doc/guix.texi (Certificate Services): Document it.
---
doc/guix.texi | 9 +++++++++
gnu/services/certbot.scm | 9 +++++++--
2 files changed, 16 insertions(+), 2 deletions(-)

Toggle diff (77 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 15e8999447..560d7af83f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -91,6 +91,7 @@ Copyright @copyright{} 2020 Edgar Vincent@*
Copyright @copyright{} 2021 Maxime Devos@*
Copyright @copyright{} 2021 B. Wilson@*
Copyright @copyright{} 2021 Xinglu Chen@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -25934,6 +25935,14 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
and gives Let's Encrypt permission to log the public IP address of the
requesting machine.
+@item @code{csr} (default: @code{#f})
+File name of Certificate Signing Request (CSR) in DER or PEM format.
+If @code{#f} is specified, this argument will not be passed to certbot.
+If a value is specified, certbot will use it to obtain a certificate, instead of
+using a self-generated CSR.
+The domain-name(s) mentioned in @code{domains}, must be consistent with the
+domain-name(s) mentioned in CSR file.
+
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..46b5abd2ef 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -55,6 +56,8 @@
(default '()))
(challenge certificate-configuration-challenge
(default #f))
+ (csr certificate-configuration-csr
+ (default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
@@ -94,8 +97,8 @@
(map
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
- authentication-hook cleanup-hook
- deploy-hook)
+ csr authentication-hook
+ cleanup-hook deploy-hook)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -105,6 +108,7 @@
"--cert-name" name
"--manual-public-ip-logging-ok"
"-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
(if email
`("--email" ,email)
'("--register-unsafely-without-email"))
@@ -120,6 +124,7 @@
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
(if email
`("--email" ,email)
'("--register-unsafely-without-email"))
--
2.32.0
R
R
Raghav Gururajan wrote on 25 Jun 2021 00:20
[PATCH v5] services: certbot: Add option to use CSR file.
(address . 49213@debbugs.gnu.org)(name . Raghav Gururajan)(address . rg@raghavgururajan.name)
20210624222017.11844-1-rg@raghavgururajan.name
* gnu/services/certbot.scm (<certificate-configuration>): Add csr field.
(certbot-command): Modify.
* doc/guix.texi (Certificate Services): Document it.
---
doc/guix.texi | 9 +++++++++
gnu/services/certbot.scm | 9 +++++++--
2 files changed, 16 insertions(+), 2 deletions(-)

Toggle diff (77 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 15e8999447..560d7af83f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -91,6 +91,7 @@ Copyright @copyright{} 2020 Edgar Vincent@*
Copyright @copyright{} 2021 Maxime Devos@*
Copyright @copyright{} 2021 B. Wilson@*
Copyright @copyright{} 2021 Xinglu Chen@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -25934,6 +25935,14 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
and gives Let's Encrypt permission to log the public IP address of the
requesting machine.
+@item @code{csr} (default: @code{#f})
+File name of Certificate Signing Request (CSR) in DER or PEM format.
+If @code{#f} is specified, this argument will not be passed to certbot.
+If a value is specified, certbot will use it to obtain a certificate, instead of
+using a self-generated CSR.
+The domain-name(s) mentioned in @code{domains}, must be consistent with the
+domain-name(s) mentioned in CSR file.
+
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1c819bef48 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -55,6 +56,8 @@
(default '()))
(challenge certificate-configuration-challenge
(default #f))
+ (csr certificate-configuration-csr
+ (default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
@@ -94,8 +97,8 @@
(map
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
- authentication-hook cleanup-hook
- deploy-hook)
+ csr authentication-hook
+ cleanup-hook deploy-hook)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -105,6 +108,7 @@
"--cert-name" name
"--manual-public-ip-logging-ok"
"-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
(if email
`("--email" ,email)
'("--register-unsafely-without-email"))
@@ -120,6 +124,7 @@
"--webroot" "-w" webroot
"--cert-name" name
"-d" (string-join domains ","))
+ (if csr `("--csr" ,csr) '())
(if email
`("--email" ,email)
'("--register-unsafely-without-email"))
--
2.32.0
R
R
Raghav Gururajan wrote on 25 Jun 2021 00:39
(no subject)
(address . 49213-done@debbugs.gnu.org)
89e4c119-8ad6-37a1-eb78-ada163945593@raghavgururajan.name
Pushed as 1bf1226a4f.
Attachment: OpenPGP_signature
Closed
M
M
Maxime Devos wrote on 30 Jun 2021 21:56
bcda00d490bfbc0ba5b9561d76f728eb58b62e09.camel@telenet.be
Raghav Gururajan via Guix-patches via schreef op do 24-06-2021 om 18:39 [-0400]:
Toggle quote (2 lines)
> Pushed as 1bf1226a4f.

Hi,

Do I understand correctly that this patch series
was pushed a day after it was sent? AFAIK the series is good
though I don't know anything about CSR, but, as the guix manual notes:

For anything else, please post to <guix-patches@gnu.org> and leave
time for a review, without committing anything (*note Submitting
Patches::). If you didn’t receive any reply after two weeks, and if
you’re confident, it’s OK to commit.

One day seems a lot less than two weeks, and I haven't seen
a reply. Did I miss any replies, or was it ‘replied’ to on IRC,
or ...?

TBF, the manual also notes

That last part is subject to being adjusted, allowing individuals to
commit directly on non-controversial changes on parts they’re familiar
with.

which might or might not apply.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYNzMYBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7ipKAQDwBUyk51AEAiA6hehFZXaAN5ga
ywf7vSWg5dnywfIXggEA0RJ6/OhEZWgwzzq50AaRPLqBW+VfCd1Jkv2jEeX2HQM=
=2K88
-----END PGP SIGNATURE-----


R
R
Raghav Gururajan wrote on 30 Jun 2021 22:16
2d217a4c-13c3-6bbd-cbd4-1b156d16d911@raghavgururajan.name
Hi Maixme!

Toggle quote (4 lines)
> One day seems a lot less than two weeks, and I haven't seen
> a reply. Did I miss any replies, or was it ‘replied’ to on IRC,
> or ...?

Sorry about that. I was interacting with Tobias in IRC about this patch
corrections, I was confident about that the patch with testing and I
pushed it. That said. I'll leave the future threads for more time
despite discussing on IRC. :)

Regards,
RG.
Attachment: OpenPGP_signature
J
J
Jonathan Brielmaier wrote on 30 Jun 2021 22:20
(address . guix-patches@gnu.org)
610a5483-6387-e66b-f476-e3ed89de2643@web.de
On 30.06.21 22:16, Raghav Gururajan via Guix-patches via wrote:
Toggle quote (12 lines)
> Hi Maixme!
>
>> One day seems a lot less than two weeks, and I haven't seen
>> a reply. Did I miss any replies, or was it ‘replied’ to on IRC,
>> or ...?
>
> Sorry about that. I was interacting with Tobias in IRC about this patch
> that day (https://logs.guix.gnu.org/guix/2021-06-25.log). After some
> corrections, I was confident about that the patch with testing and I
> pushed it. That said. I'll leave the future threads for more time
> despite discussing on IRC. :)

In that case I think its not really necessary to leave the patch longer
on the mailing list. Instead you could add something like "reviewed
together with XY in IRC" on your closing email :)
M
M
Maxime Devos wrote on 1 Jul 2021 10:05
Re: [bug#49213] (no subject)
aa0078710c41522a814549b91ad4f1828ca3c426.camel@telenet.be
Jonathan Brielmaier schreef op wo 30-06-2021 om 22:20 [+0200]:
Toggle quote (12 lines)
> On 30.06.21 22:16, Raghav Gururajan via Guix-patches via wrote:
> > Hi Maixme!
> > Sorry about that. I was interacting with Tobias in IRC about this patch
> > that day (https://logs.guix.gnu.org/guix/2021-06-25.log). After some
> > corrections, I was confident about that the patch with testing and I
> > pushed it. That said. I'll leave the future threads for more time
> > despite discussing on IRC. :)
>
> In that case I think its not really necessary to leave the patch longer
> on the mailing list. Instead you could add something like "reviewed
> together with XY in IRC" on your closing email :)

Yes, agreed on both points.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYN13MBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7rP+AP43gpTdlk8jnCOM+y0LNQRUHyzD
lAkMfx8+wvkkQOc8ywD9EjuDRrZHRB+azxwg1kAIydS5XD0RegdijYAdQ+oNrgA=
=3u7I
-----END PGP SIGNATURE-----


?