services: certbot: Add option to use CSR file.

* gnu/services/certbot.scm (<certificate-configuration>): Add csr field. (certbot-command): Modify. * doc/guix.texi (Certificate Services): Document it.
2025-01-11 13:49:23 -05:00 · 2021-06-24 14:14:37 -04:00 · 2021-06-24 14:14:37 -04:00 · 1bf1226a4f
commit 1bf1226a4f
parent d3e8890613
2 changed files with 16 additions and 2 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -91,6 +91,7 @@ Copyright @copyright{} 2020 Edgar Vincent@*
 Copyright @copyright{} 2021 Maxime Devos@*
 Copyright @copyright{} 2021 B. Wilson@*
 Copyright @copyright{} 2021 Xinglu Chen@*
+Copyright @copyright{} 2021 Raghav Gururajan@*

 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@ -25934,6 +25935,14 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
 and gives Let's Encrypt permission to log the public IP address of the
 requesting machine.

+@item @code{csr} (default: @code{#f})
+File name of Certificate Signing Request (CSR) in DER or PEM format.
+If @code{#f} is specified, this argument will not be passed to certbot.
+If a value is specified, certbot will use it to obtain a certificate, instead of
+using a self-generated CSR.
+The domain-name(s) mentioned in @code{domains}, must be consistent with the
+domain-name(s) mentioned in CSR file.
+
@item @code{authentication-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge to be
 answered.  For this command, the shell variable @code{$CERTBOT_DOMAIN}
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@ -5,6 +5,7 @@
 ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -55,6 +56,8 @@ (define-record-type* <certificate-configuration>
                       (default '()))
  (challenge           certificate-configuration-challenge
                       (default #f))
+  (csr                 certificate-configuration-csr
+                       (default #f))
  (authentication-hook certificate-authentication-hook
                       (default #f))
  (cleanup-hook        certificate-cleanup-hook
@ -94,8 +97,8 @@ (define certbot-command
             (map
              (match-lambda
                (($ <certificate-configuration> custom-name domains challenge
-                                                authentication-hook cleanup-hook
-                                                deploy-hook)
+                                                csr authentication-hook
+                                                cleanup-hook deploy-hook)
                 (let ((name (or custom-name (car domains))))
                   (if challenge
                     (append
@ -105,6 +108,7 @@ (define certbot-command
                            "--cert-name" name
                            "--manual-public-ip-logging-ok"
                            "-d" (string-join domains ","))
+                      (if csr `("--csr" ,csr) '())
                      (if email
                          `("--email" ,email)
                          '("--register-unsafely-without-email"))
@ -120,6 +124,7 @@ (define certbot-command
                            "--webroot" "-w" webroot
                            "--cert-name" name
                            "-d" (string-join domains ","))
+                      (if csr `("--csr" ,csr) '())
                      (if email
                          `("--email" ,email)
                          '("--register-unsafely-without-email"))