Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx

[Carlo Zancanaro]

Apologies for the line breaks my earlier email. I'm not entirely sure
what happened, but hopefully they'll come through properly this time.

On Fri, Apr 12 2024, Felix Lechner wrote:
> To my surprise OpenSSL, which I saw in proced, generated a lot of
> certificates in /etc/certs.  I am talking about pages and pages of
> asterisk, plusses, and dots for a system with twenty or so certificates.
> Is it possible that they were generated as a result of the patch?

I expect the first reconfiguration after this change to create one self
signed certificate in /etc/certs for each <certificate-configuration>
object in your certbot configuration. These self-signed certificates
will then be replaced by symlinks to the certificates that cerbot
generates after your next renewal (i.e. when the deploy hook runs).

We could avoid generating unnecessary self-signed certificates by first
checking if we already have certificates from certbot, and creating the
symlink straight away if we can.

About the "pages and pages" of output: it might be sensible to change
the size of the self keys used in the self signed certificates. The
current code uses the rsa-key-size from the <cerbot-configuration>, or
4096 if that is unset (the default). This is probably overkill given we
don't actually need, or want, to use the initial certificates.

We could instead use the smallest key size that openssl supports (512?).

I'm not sure when I'll have time to make those changes, but they should
be pretty straightforward if someone else has time before I do.

> It would be unfavorable to create such certificates when they are not
> needed.  It reduces valuable server entropy.

If you don't want the initial self signed certificate you can tell Guix
not to generate it by setting start-self-signed? to #f on the
<certificate-configuration> object.

Carlo