GNU bug report logs -
#50872
Prosody service + letsencrypt certs improvements
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 50872 in the body.
You can then email your comments to 50872 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#50872
; Package
guix
.
(Tue, 28 Sep 2021 17:18:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Christine Lemmer-Webber <cwebber <at> dustycloud.org>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Tue, 28 Sep 2021 17:18:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
I finally got prosody working on my server using Guix. However, the
manual says:
Prosodyctl will also help you to import certificates from the
‘letsencrypt’ directory so that the ‘prosody’ user can access them. See
<https://prosody.im/doc/letsencrypt>.
prosodyctl --root cert import /etc/letsencrypt/live
However, what prosody actually does with this command is that it copies
the files from letsencrypt *over to* its own directory (but then also
restarts prosody... in theory). According to the docs:
This command can be put in cron or passed as a callback to automated
certificate renewal programs such as certbot or other Let's Encrypt
clients. For more information on using Prosody with these, see our
Let's Encrypt page.
Hm, in other words we really ought to run this attached to some hook
related to the letsencrypt services... when they renew successfully, it
should trigger this command, I'd think. We do similar things for nginx,
etc...
Thoughts? Does this seem right?
- Christine
Information forwarded
to
bug-guix <at> gnu.org
:
bug#50872
; Package
guix
.
(Wed, 29 Sep 2021 21:23:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 50872 <at> debbugs.gnu.org (full text, mbox):
Hi Christine,
On Tue, Sep 28 2021, Christine Lemmer-Webber wrote:
> Hm, in other words we really ought to run this attached to some
> hook related to the letsencrypt services... when they renew
> successfully, it should trigger this command, I'd think. We do
> similar things for nginx, etc...
I'm pretty sure Guix doesn't do anything automatic when
certificates are renewed. For nginx there's an example in the
manual for how to set up a deploy hook to reload the
certificates[1], so I expect that you'll have to set up something
similar.
My prosody setup has this deploy hook:
(program-file
"reload-certificates"
#~(let ((prosodyctl (string-append #$(specification->package
"prosody")
"/bin/prosodyctl")))
(system* prosodyctl "--root" "cert" "import"
"/etc/letsencrypt/live")
(system* prosodyctl "reload")))
but I have recently had some trouble with it (prosody hasn't been
reloading the certificate properly). I don't think my issue is
related to this deploy hook, though.
I hope that helps!
Carlo
[1]:
https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html
Information forwarded
to
bug-guix <at> gnu.org
:
bug#50872
; Package
guix
.
(Wed, 29 Sep 2021 21:24:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Christine Lemmer-Webber <cwebber <at> dustycloud.org>
:
You have taken responsibility.
(Wed, 29 Sep 2021 23:45:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Christine Lemmer-Webber <cwebber <at> dustycloud.org>
:
bug acknowledged by developer.
(Wed, 29 Sep 2021 23:45:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 50872-done <at> debbugs.gnu.org (full text, mbox):
Carlo Zancanaro <carlo <at> zancanaro.id.au> writes:
> Hi Christine,
>
> On Tue, Sep 28 2021, Christine Lemmer-Webber wrote:
>> Hm, in other words we really ought to run this attached to some hook
>> related to the letsencrypt services... when they renew successfully,
>> it should trigger this command, I'd think. We do similar things for
>> nginx, etc...
>
> I'm pretty sure Guix doesn't do anything automatic when certificates
> are renewed. For nginx there's an example in the manual for how to set
> up a deploy hook to reload the certificates[1], so I expect that
> you'll have to set up something similar.
You're right... not sure why I thought it did.
> My prosody setup has this deploy hook:
>
> (program-file
> "reload-certificates"
> #~(let ((prosodyctl (string-append #$(specification->package
> "prosody")
> "/bin/prosodyctl")))
> (system* prosodyctl "--root" "cert" "import"
> "/etc/letsencrypt/live")
> (system* prosodyctl "reload")))
>
> but I have recently had some trouble with it (prosody hasn't been
> reloading the certificate properly). I don't think my issue is
> related to this deploy hook, though.
That seems great. I'll give it a try.
Since this isn't significantly different from other services then (well,
excepting that prosody needs to not just reload but have the import
command run again... but you've provided what looks like a good solution
above) I'm going to close this.
> I hope that helps!
It does, thanks!
> Carlo
>
> [1]:
> https://guix.gnu.org/en/manual/en/html_node/Certificate-Services.html
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 28 Oct 2021 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 174 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.