diff mbox series

[bug#35330] gnu: certbot: Add support for manual plugin.

Message ID 20190419212320.20256-1-julien@lepiller.eu
State Accepted
Headers show
Series [bug#35330] gnu: certbot: Add support for manual plugin. | expand

Checks

Context Check Description
cbaines/applying patch success Successfully applied

Commit Message

Julien Lepiller April 19, 2019, 9:23 p.m. UTC 
* gnu/services/certbot.scm (certificate-configuration): Add challenge,
auth-hook and cleanup-hook fields.
(certbot-command): Use them.
* doc/guix.texi (Certificate Services): Document them.
---
 doc/guix.texi            | 19 +++++++++++++++++++
 gnu/services/certbot.scm | 38 ++++++++++++++++++++++++++++----------
 2 files changed, 47 insertions(+), 10 deletions(-)

Comments

Ludovic Courtès April 24, 2019, 12:29 p.m. UTC | #1 
Hello,

Julien Lepiller <julien@lepiller.eu> skribis:

> * gnu/services/certbot.scm (certificate-configuration): Add challenge,
> auth-hook and cleanup-hook fields.
> (certbot-command): Use them.
> * doc/guix.texi (Certificate Services): Document them.

Neat!

Nitpick:

  - s/http/HTTP/
  - two spaces after end-of-sentence period
  - s/filename/file name/

> +@item @code{challenge} (default: @code{#f})
> +The challenge type that has to be run by certbot. If @code{#f} is specified,
> +default to the http challenge. If a value is specified, defaults to the
> +manual plugin (see @code{auth-hook} and @code{cleanup-hook}).

If there’s a stable URL to upstream documentation, perhaps you could
insert it here.

> +@item @code{auth-hook} (default: @code{#f})

Should it be called ‘authentication-hook’?

I’m definitely no expert, but I’d say go for it!

Thanks for working on it!

Ludo’.
Julien Lepiller April 25, 2019, 5:48 p.m. UTC | #2 
Le Wed, 24 Apr 2019 14:29:12 +0200,
Ludovic Courtès <ludo@gnu.org> a écrit :

> Hello,
> 
> Julien Lepiller <julien@lepiller.eu> skribis:
> 
> > * gnu/services/certbot.scm (certificate-configuration): Add
> > challenge, auth-hook and cleanup-hook fields.
> > (certbot-command): Use them.
> > * doc/guix.texi (Certificate Services): Document them.  
> 
> Neat!
> 
> Nitpick:
> 
>   - s/http/HTTP/
>   - two spaces after end-of-sentence period
>   - s/filename/file name/
> 
> > +@item @code{challenge} (default: @code{#f})
> > +The challenge type that has to be run by certbot. If @code{#f} is
> > specified, +default to the http challenge. If a value is specified,
> > defaults to the +manual plugin (see @code{auth-hook} and
> > @code{cleanup-hook}).  
> 
> If there’s a stable URL to upstream documentation, perhaps you could
> insert it here.
> 
> > +@item @code{auth-hook} (default: @code{#f})  
> 
> Should it be called ‘authentication-hook’?
> 
> I’m definitely no expert, but I’d say go for it!
> 
> Thanks for working on it!
> 
> Ludo’.

Thanks, pushed as b68aff1f05864a589b62afa44665a99e5cf43718.
diff mbox series

Patch

diff --git a/doc/guix.texi b/doc/guix.texi
index 8c7522f286..7bbec33d10 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19416,6 +19416,25 @@  Its default is the first provided domain.
 The first domain provided will be the subject CN of the certificate, and
 all domains will be Subject Alternative Names on the certificate.
 
+@item @code{challenge} (default: @code{#f})
+The challenge type that has to be run by certbot. If @code{#f} is specified,
+default to the http challenge. If a value is specified, defaults to the
+manual plugin (see @code{auth-hook} and @code{cleanup-hook}).
+
+@item @code{auth-hook} (default: @code{#f})
+Command to be run in a shell once for each certificate challenge to be
+answered.  For this command, the shell variable @code{$CERTBOT_DOMAIN}
+will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
+contains the validation string and @code{$CERTBOT_TOKEN} contains the
+filename of the resource requested when performing an HTTP-01 challenge.
+
+@item @code{cleanup-hook} (default: @code{#f})
+Command to be run in a shell once for each certificate challenge that
+have been answered by the @code{auth-hook}.  For this command, the shell
+variables available in the @code{auth-hook} script are still available, and
+additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
+of the @code{auth-hook} script.
+
 @item @code{deploy-hook} (default: @code{#f})
 Command to be run in a shell once for each successfully issued
 certificate.  For this command, the shell variable
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 7565bc97ca..95c39684cf 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -50,6 +50,12 @@ 
                        (default #f))
   (domains             certificate-configuration-domains
                        (default '()))
+  (challenge           certificate-configuration-challenge
+                       (default #f))
+  (auth-hook           certificate-auth-hook
+                       (default #f))
+  (cleanup-hook        certificate-cleanup-hook
+                       (default #f))
   (deploy-hook         certificate-configuration-deploy-hook
                        (default #f)))
 
@@ -81,17 +87,29 @@ 
             (commands
              (map
               (match-lambda
-                (($ <certificate-configuration> custom-name domains
-                                                deploy-hook)
+                (($ <certificate-configuration> custom-name domains challenge
+                                                auth-hook cleanup-hook deploy-hook)
                  (let ((name (or custom-name (car domains))))
-                   (append
-                    (list name certbot "certonly" "-n" "--agree-tos"
-                          "-m" email
-                          "--webroot" "-w" webroot
-                          "--cert-name" name
-                          "-d" (string-join domains ","))
-                    (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                    (if deploy-hook `("--deploy-hook" ,deploy-hook) '())))))
+                   (if challenge
+                     (append
+                      (list name certbot "certonly" "-n" "--agree-tos"
+                            "-m" email
+                            "--manual"
+                            (string-append "--preferred-challenges=" challenge)
+                            "--cert-name" name
+                            "-d" (string-join domains ","))
+                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                      (if auth-hook `("--manual-auth-hook" ,auth-hook) '())
+                      (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
+                     (append
+                      (list name certbot "certonly" "-n" "--agree-tos"
+                            "-m" email
+                            "--webroot" "-w" webroot
+                            "--cert-name" name
+                            "-d" (string-join domains ","))
+                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                      (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
               certificates)))
        (program-file
         "certbot-command"