help-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certbot with DNS Challenge

From: Raghav Gururajan
Subject: Re: Certbot with DNS Challenge
Date: Sat, 17 Apr 2021 08:27:34 -0400 
Hi Pierre!


--8<---------------cut here---------------start------------->8---
(define certbot-authentication-hook
   (program-file "certbot-authentication-hook"
     (with-imported-modules '((guix build utils))
       #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
               (validation (getenv "CERTBOT_VALIDATION")))
           (use-modules ((guix build utils)))
           (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
(invoke gandi "dns" "create" "example.com" "_acme-challenge" 
"TXT" validation)))))


(define certbot-cleanup-hook
   (program-file "certbot-cleanup-hook"
     (with-imported-modules '((guix build utils))
       #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
           (use-modules ((guix build utils)))
           (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
           (invoke gandi "dns" "delete" "--force" "example.com" "_acme-challenge" 
"TXT")))))

(...)

(service certbot-service-type
   (certbot-configuration
     (email "me@example.com")
     (certificates
       (list
         (certificate-configuration
           (domains '("*.example.com"))
           (challenge "dns")
           (authentication-hook certbot-authentication-hook)
           (cleanup-hook certbot-cleanup-hook))))))
--8<---------------cut here---------------end--------------->8---


Thank you so much! I appreciate it.
I am using deSEC (https://desec.io) and have their hook.sh (https://github.com/desec-io/desec-certbot-hook) stored as "/etc/desec/hook.sh" on my system.
So, in your snippet, I should replace certbot-*-hook with "/etc/desec/hook.sh", right?
Also, does using "*.example.com" means that the generated cert can be used both for apex/naked domain and any of the subdomains? 


As a tip, when working on this it was very useful to be able to pass the
--dry-run option to certbot, and use development acme server
temporarily. Otherwise if you do too many attempts on the regular server
you eventually get blocked because of limit rates. But if you use the
dev server, then you have to use --dry-run as well.

I've actually got patches up for the dry-run flag if you need them:
https://issues.guix.gnu.org/47136. Let me know if you test them or/and
have any feedback!


Sure, I'll give it a try.

Regards,
RG.

Attachment: OpenPGP_0x5F5816647F8BE551.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]