--- Begin Message ---
Subject: |
[PATCH] gnu: certbot: Add support for manual plugin. |
Date: |
Fri, 19 Apr 2019 23:23:20 +0200 |
* gnu/services/certbot.scm (certificate-configuration): Add challenge,
auth-hook and cleanup-hook fields.
(certbot-command): Use them.
* doc/guix.texi (Certificate Services): Document them.
---
doc/guix.texi | 19 +++++++++++++++++++
gnu/services/certbot.scm | 38 ++++++++++++++++++++++++++++----------
2 files changed, 47 insertions(+), 10 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 8c7522f286..7bbec33d10 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19416,6 +19416,25 @@ Its default is the first provided domain.
The first domain provided will be the subject CN of the certificate, and
all domains will be Subject Alternative Names on the certificate.
address@hidden @code{challenge} (default: @code{#f})
+The challenge type that has to be run by certbot. If @code{#f} is specified,
+default to the http challenge. If a value is specified, defaults to the
+manual plugin (see @code{auth-hook} and @code{cleanup-hook}).
+
address@hidden @code{auth-hook} (default: @code{#f})
+Command to be run in a shell once for each certificate challenge to be
+answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
+will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
+contains the validation string and @code{$CERTBOT_TOKEN} contains the
+filename of the resource requested when performing an HTTP-01 challenge.
+
address@hidden @code{cleanup-hook} (default: @code{#f})
+Command to be run in a shell once for each certificate challenge that
+have been answered by the @code{auth-hook}. For this command, the shell
+variables available in the @code{auth-hook} script are still available, and
+additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
+of the @code{auth-hook} script.
+
@item @code{deploy-hook} (default: @code{#f})
Command to be run in a shell once for each successfully issued
certificate. For this command, the shell variable
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 7565bc97ca..95c39684cf 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -50,6 +50,12 @@
(default #f))
(domains certificate-configuration-domains
(default '()))
+ (challenge certificate-configuration-challenge
+ (default #f))
+ (auth-hook certificate-auth-hook
+ (default #f))
+ (cleanup-hook certificate-cleanup-hook
+ (default #f))
(deploy-hook certificate-configuration-deploy-hook
(default #f)))
@@ -81,17 +87,29 @@
(commands
(map
(match-lambda
- (($ <certificate-configuration> custom-name domains
- deploy-hook)
+ (($ <certificate-configuration> custom-name domains challenge
+ auth-hook cleanup-hook
deploy-hook)
(let ((name (or custom-name (car domains))))
- (append
- (list name certbot "certonly" "-n" "--agree-tos"
- "-m" email
- "--webroot" "-w" webroot
- "--cert-name" name
- "-d" (string-join domains ","))
- (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
+ (if challenge
+ (append
+ (list name certbot "certonly" "-n" "--agree-tos"
+ "-m" email
+ "--manual"
+ (string-append "--preferred-challenges=" challenge)
+ "--cert-name" name
+ "-d" (string-join domains ","))
+ (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if auth-hook `("--manual-auth-hook" ,auth-hook) '())
+ (if cleanup-hook `("--manual-cleanup-hook"
,cleanup-hook) '())
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (append
+ (list name certbot "certonly" "-n" "--agree-tos"
+ "-m" email
+ "--webroot" "-w" webroot
+ "--cert-name" name
+ "-d" (string-join domains ","))
+ (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
certificates)))
(program-file
"certbot-command"
--
2.21.0
--- End Message ---
--- Begin Message ---
Subject: |
Re: [bug#35330] [PATCH] gnu: certbot: Add support for manual plugin. |
Date: |
Thu, 25 Apr 2019 19:48:21 +0200 |
Le Wed, 24 Apr 2019 14:29:12 +0200,
Ludovic Courtès <address@hidden> a écrit :
> Hello,
>
> Julien Lepiller <address@hidden> skribis:
>
> > * gnu/services/certbot.scm (certificate-configuration): Add
> > challenge, auth-hook and cleanup-hook fields.
> > (certbot-command): Use them.
> > * doc/guix.texi (Certificate Services): Document them.
>
> Neat!
>
> Nitpick:
>
> - s/http/HTTP/
> - two spaces after end-of-sentence period
> - s/filename/file name/
>
> > address@hidden @code{challenge} (default: @code{#f})
> > +The challenge type that has to be run by certbot. If @code{#f} is
> > specified, +default to the http challenge. If a value is specified,
> > defaults to the +manual plugin (see @code{auth-hook} and
> > @code{cleanup-hook}).
>
> If there’s a stable URL to upstream documentation, perhaps you could
> insert it here.
>
> > address@hidden @code{auth-hook} (default: @code{#f})
>
> Should it be called ‘authentication-hook’?
>
> I’m definitely no expert, but I’d say go for it!
>
> Thanks for working on it!
>
> Ludo’.
Thanks, pushed as b68aff1f05864a589b62afa44665a99e5cf43718.
--- End Message ---