gnu: certbot: Add support for manual plugin.

* gnu/services/certbot.scm (certificate-configuration): Add challenge,
auth-hook and cleanup-hook fields.
(certbot-command): Use them.
* doc/guix.texi (Certificate Services): Document them.
This commit is contained in:
Julien Lepiller 2019-04-19 22:28:30 +02:00
parent c3634df2a4
commit b68aff1f05
No known key found for this signature in database
GPG key ID: 43111F4520086A0C
2 changed files with 51 additions and 9 deletions

View file

@ -19425,6 +19425,26 @@ Its default is the first provided domain.
The first domain provided will be the subject CN of the certificate, and The first domain provided will be the subject CN of the certificate, and
all domains will be Subject Alternative Names on the certificate. all domains will be Subject Alternative Names on the certificate.
@item @code{challenge} (default: @code{#f})
The challenge type that has to be run by certbot. If @code{#f} is specified,
default to the HTTP challenge. If a value is specified, defaults to the
manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and
the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}).
@item @code{authentication-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge to be
answered. For this command, the shell variable @code{$CERTBOT_DOMAIN}
will contain the domain being authenticated, @code{$CERTBOT_VALIDATION}
contains the validation string and @code{$CERTBOT_TOKEN} contains the
file name of the resource requested when performing an HTTP-01 challenge.
@item @code{cleanup-hook} (default: @code{#f})
Command to be run in a shell once for each certificate challenge that
have been answered by the @code{auth-hook}. For this command, the shell
variables available in the @code{auth-hook} script are still available, and
additionally @code{$CERTBOT_AUTH_OUTPUT} will contain the standard output
of the @code{auth-hook} script.
@item @code{deploy-hook} (default: @code{#f}) @item @code{deploy-hook} (default: @code{#f})
Command to be run in a shell once for each successfully issued Command to be run in a shell once for each successfully issued
certificate. For this command, the shell variable certificate. For this command, the shell variable

View file

@ -2,6 +2,7 @@
;;; Copyright © 2016 ng0 <ng0@n0.is> ;;; Copyright © 2016 ng0 <ng0@n0.is>
;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org> ;;; Copyright © 2016 Sou Bunnbu <iyzsong@member.fsf.org>
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -50,6 +51,12 @@ (define-record-type* <certificate-configuration>
(default #f)) (default #f))
(domains certificate-configuration-domains (domains certificate-configuration-domains
(default '())) (default '()))
(challenge certificate-configuration-challenge
(default #f))
(authentication-hook certificate-authentication-hook
(default #f))
(cleanup-hook certificate-cleanup-hook
(default #f))
(deploy-hook certificate-configuration-deploy-hook (deploy-hook certificate-configuration-deploy-hook
(default #f))) (default #f)))
@ -81,9 +88,24 @@ (define certbot-command
(commands (commands
(map (map
(match-lambda (match-lambda
(($ <certificate-configuration> custom-name domains (($ <certificate-configuration> custom-name domains challenge
authentication-hook cleanup-hook
deploy-hook) deploy-hook)
(let ((name (or custom-name (car domains)))) (let ((name (or custom-name (car domains))))
(if challenge
(append
(list name certbot "certonly" "-n" "--agree-tos"
"-m" email
"--manual"
(string-append "--preferred-challenges=" challenge)
"--cert-name" name
"-d" (string-join domains ","))
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(if authentication-hook
`("--manual-auth-hook" ,authentication-hook)
'())
(if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '()))
(append (append
(list name certbot "certonly" "-n" "--agree-tos" (list name certbot "certonly" "-n" "--agree-tos"
"-m" email "-m" email
@ -91,7 +113,7 @@ (define certbot-command
"--cert-name" name "--cert-name" name
"-d" (string-join domains ",")) "-d" (string-join domains ","))
(if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
(if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))) (if deploy-hook `("--deploy-hook" ,deploy-hook) '()))))))
certificates))) certificates)))
(program-file (program-file
"certbot-command" "certbot-command"