bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx

From:	Carlo Zancanaro
Subject:	bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx
Date:	Wed, 31 Jan 2024 08:48:54 +1100
User-agent:	mu4e 1.10.8; emacs 29.1

Hi Felix,

On Tue, Jan 30 2024, Felix Lechner wrote:

On Tue, Jan 30 2024, Carlo Zancanaro wrote:

certbot can't produce certificates without a functional nginx


Yes, it can. The option is called --standalone. [1]

You are correct, of course. If I had been more precise I wouldhave said "with our current configuration, certbot can't producecertificates without a functional nginx".

Maybe another way to bootstrap the certificates would be to holdoff on starting Nginx or Apache until all certificates areobtained?


This could work, but I see a few downsides.

As Clément has already mentioned, this would make nginx dependenton certbot. This causes problems for servers disconnected from thegeneral internet, but it also shifts complexity into the nginxservice without much benefit over the patch series I'm proposing.We'd need to add more configuration on the nginx side to controlwhether to delay startup based on whether we actually wantcertificates. This would delay the startup of the whole nginxprocess, even if some server configurations don't require newcertificates.

For renewal, we would also have two options: (1) use --standalone,and require a period of downtime for our web server; or (2) use--webroot, and maintain two code paths for the two cases. I thinkit's a bad idea for Guix to make a decision that requires downtimeof user systems if there's an alternative, so I don't like (1).Maintaining two "similar but different" code paths for (2) doesn'tseem like a clear advantage over the patch series I'm proposing.

Anyway, that's what I do manually.

I use the DNS challenge type, with hooks which automaticallycreate/remove DNS records. This solves all the problems I'mbringing up (i.e. doesn't require nginx, doesn't involve downtime,has a single code path), but I don't think Guix can assume thatall users have the ability to do this. My aim with this patchseries is to make the default certbot configuration work for thecommon case of a simple web server, without manual intervention.


Carlo

[Prev in Thread]

Current Thread

[Next in Thread]

bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run, Carlo Zancanaro, 2024/01/24
- bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs, Carlo Zancanaro, 2024/01/24
  - bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs, Carlo Zancanaro, 2024/01/24
  - bug#46961: Nginx and certbot cervices don't play well togther, Clément Lassieur, 2024/01/29
    - bug#46961: Nginx and certbot cervices don't play well togther, Carlo Zancanaro, 2024/01/29
    - bug#46961: Nginx and certbot cervices don't play well togther, Clément Lassieur, 2024/01/29
  - bug#46961: Nginx and certbot cervices don't play well togther, Clément Lassieur, 2024/01/29
- bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs, Carlo Zancanaro, 2024/01/24
- bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx, Carlo Zancanaro, 2024/01/30
  - bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx, Felix Lechner, 2024/01/30
    - bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx, Carlo Zancanaro <=
    - bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx, Wojtek Kosior, 2024/01/30
  - Message not available
    - bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx, Clément Lassieur, 2024/01/30
  - bug#46961: [PATCH v3 1/4] services: certbot: Symlink certificates to /etc/certs., Carlo Zancanaro, 2024/01/31
  - bug#46961: [PATCH v3 3/4] services: certbot: Reload nginx in deploy hook., Carlo Zancanaro, 2024/01/31
  - bug#46961: [PATCH v3 0/4] Make certbot play more nicely with nginx, Carlo Zancanaro, 2024/01/31
  - bug#46961: [PATCH v3 4/4] services: certbot: Add one-shot service to renew certificates., Carlo Zancanaro, 2024/01/31
  - bug#46961: [PATCH v3 2/4] services: certbot: Create self-signed certificates before certbot runs., Carlo Zancanaro, 2024/01/31
- bug#46961: [PATCH v2 3/4] services: certbot: Add a default deploy hook to reload nginx., Carlo Zancanaro, 2024/01/30
  - bug#46961: Nginx and certbot cervices don't play well togther, Clément Lassieur, 2024/01/30
- bug#46961: [PATCH v2 1/4] services: certbot: Symlink certificates to /etc/certs., Carlo Zancanaro, 2024/01/30

Prev by Date: bug#68747: Extending postgresql-role-service-type as shown in manual leads to crash
Next by Date: bug#68811: build hash inconsistency
Previous by thread: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx
Next by thread: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx
Index(es):
- Date
- Thread