Re: Certbot with DNS Challenge

Sat, 17 Apr 2021 03:26:16 -0700 

Hi Raghav,

Raghav Gururajan writes:

> Hello Guix!
>
> For certbot-service-type, the manual has an example for HTTP challenge. I was
> wondering if anyone has an example for DNS challenge?

It just happens I set it up on my LAN a month ago, it worked really
well!  I'm using gandi as the provider and I've got a config like this
that creates a wildcard certificate that can be used for any services on
the LAN (I use it for nginx with cgit, and a locap IMAP server).

--8<---------------cut here---------------start------------->8---
(define certbot-authentication-hook
  (program-file "certbot-authentication-hook"
    (with-imported-modules '((guix build utils))
      #~(let ((gandi (string-append #$gandi.cli "/bin/gandi"))
              (validation (getenv "CERTBOT_VALIDATION")))
          (use-modules ((guix build utils)))
          (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
          (invoke gandi "dns" "create" "example.com" "_acme-challenge" "TXT" 
validation)))))

(define certbot-cleanup-hook
  (program-file "certbot-cleanup-hook"
    (with-imported-modules '((guix build utils))
      #~(let ((gandi (string-append #$gandi.cli "/bin/gandi")))
          (use-modules ((guix build utils)))
          (setenv "GANDI_CONFIG" "/etc/gandi/config.yaml")
          (invoke gandi "dns" "delete" "--force" "example.com" 
"_acme-challenge" "TXT")))))

(...)

(service certbot-service-type
  (certbot-configuration
    (email "m...@example.com")
    (certificates
      (list
        (certificate-configuration
          (domains '("*.example.com"))
          (challenge "dns")
          (authentication-hook certbot-authentication-hook)
          (cleanup-hook certbot-cleanup-hook))))))
--8<---------------cut here---------------end--------------->8---

I did need to store a secret API key on the file system in
/etc/gandi/config.yaml.

As a tip, when working on this it was very useful to be able to pass the
--dry-run option to certbot, and use development acme server
temporarily. Otherwise if you do too many attempts on the regular server
you eventually get blocked because of limit rates. But if you use the
dev server, then you have to use --dry-run as well.

I've actually got patches up for the dry-run flag if you need them:
https://issues.guix.gnu.org/47136. Let me know if you test them or/and
have any feedback!

Thanks,
Pierre

Attachment: signature.asc
Description: PGP signature

Reply via email to