[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate opti
|
From: |
Pierre Langlois |
|
Subject: |
[bug#47136] [PATCH 3/3] services: certbot: Add dry-run? certificate option. |
|
Date: |
Sun, 14 Mar 2021 13:15:43 +0000 |
* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field.
(certbot-command): Use it to pass --dry-run to certbot.
* doc/guix.texi (Certificate Services): Document dry-run? option.
---
doc/guix.texi | 35 +++++++++++++++++++++++++++++++++++
gnu/services/certbot.scm | 10 +++++++---
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index ec449b1772..322c717941 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25665,6 +25665,41 @@ certificates and keys; the shell variable
@code{$RENEWED_DOMAINS} will
contain a space-delimited list of renewed certificate domains (for
example, @samp{"example.com www.example.com"}.
+@item @code{dry-run?} (default: @code{#f})
+Communitcate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}. This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them. It's also a good idea to
+use Let's Encrypt's staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option. For example:
+
+@lisp
+(define %authentication-hook
+ (program-file "authentication-hook"
+ #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+ (token (getenv "CERTBOT_TOKEN")))
+ (format #t "Hey, can you authenticate ~a with ~a for me?"
+ domain token))))
+
+(define %cleanup-hook
+ (program-file "authentication-hook"
+ #~(display "Bye")
+
+(service certbot-service-type
+ (certbot-configuration
+ (server "https://acme-staging-v02.api.letsencrypt.org/directory";)
+ (certificates
+ (list
+ (certificate-configuration
+ (dry-run? #t)
+ (authentication-hook %authentication-hook)
+ (cleanup-hook %cleanup-hook)
+ (domains '("example.net" "www.example.net")))))))
+@end lisp
+
@end table
@end deftp
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1cea68fc2a..15274cf0ed 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -61,6 +61,8 @@
(cleanup-hook certificate-cleanup-hook
(default #f))
(deploy-hook certificate-configuration-deploy-hook
+ (default #f))
+ (dry-run? certbot-configuration-dry-run?
(default #f)))
(define-record-type* <certbot-configuration>
@@ -96,7 +98,7 @@
(match-lambda
(($ <certificate-configuration> custom-name domains challenge
authentication-hook
cleanup-hook
- deploy-hook)
+ deploy-hook dry-run?)
(let ((name (or custom-name (car domains))))
(if challenge
(append
@@ -114,7 +116,8 @@
`("--manual-auth-hook" ,authentication-hook)
'())
(if cleanup-hook `("--manual-cleanup-hook"
,cleanup-hook) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run")))
(append
(list name certbot "certonly" "-n" "--agree-tos"
"--webroot" "-w" webroot
@@ -125,7 +128,8 @@
'("--register-unsafely-without-email"))
(if server `("--server" ,server) '())
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
- (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
+ (if deploy-hook `("--deploy-hook" ,deploy-hook) '())
+ (if dry-run? '("--dry-run") '()))))))
certificates)))
(program-file
"certbot-command"
--
2.30.2