[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certbot with DNS Challenge
From: |
Raghav Gururajan |
Subject: |
Re: Certbot with DNS Challenge |
Date: |
Sat, 17 Apr 2021 08:27:34 -0400 |
Hi Pierre!
--8<---------------cut here---------------start------------->8---
(define certbot-authentication-hook
(program-file "certbot-authentication-hook"
(with-imported-modules '((guix build utils))
#~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
(validation (getenv "CERTBOT_VALIDATION")))
(use-modules ((guix build utils)))
(setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
(invoke gandi "dns" "create" "example.com" "_acme-challenge"
"TXT" validation)))))
(define certbot-cleanup-hook
(program-file "certbot-cleanup-hook"
(with-imported-modules '((guix build utils))
#~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
(use-modules ((guix build utils)))
(setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
(invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge"
"TXT")))))
(...)
(service certbot-service-type
(certbot-configuration
(email "me@example.com")
(certificates
(list
(certificate-configuration
(domains '("*.example.com"))
(challenge "dns")
(authentication-hook certbot-authentication-hook)
(cleanup-hook certbot-cleanup-hook))))))
--8<---------------cut here---------------end--------------->8---
Thank you so much! I appreciate it.
I am using deSEC (https://desec.io) and have their hook.sh
(https://github.com/desec-io/desec-certbot-hook) stored as
"/etc/desec/hook.sh" on my system.
So, in your snippet, I should replace certbot-*-hook with
"/etc/desec/hook.sh", right?
Also, does using "*.example.com" means that the generated cert can be
used both for apex/naked domain and any of the subdomains?
As a tip, when working on this it was very useful to be able to pass the
--dry-run option to certbot, and use development acme server
temporarily. Otherwise if you do too many attempts on the regular server
you eventually get blocked because of limit rates. But if you use the
dev server, then you have to use --dry-run as well.
I've actually got patches up for the dry-run flag if you need them:
https://issues.guix.gnu.org/47136. Let me know if you test them or/and
have any feedback!
Sure, I'll give it a try.
Regards,
RG.
OpenPGP_0x5F5816647F8BE551.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature