services: certbot: Add dry-run? certificate option.

* gnu/services/certbot.scm (certificate-configuration): Add dry-run? field. (certbot-command): Use it to pass --dry-run to certbot. * doc/guix.texi (Certificate Services): Document dry-run? option. Change-Id: I26b0dc06e2b7e5fb34305deee09e311d085f8a4b Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop> Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
2026-04-06 13:10:33 +02:00 · 2021-03-14 13:15:43 +00:00
parent c603068f6f
commit 57fc58ba48
2 changed files with 75 additions and 34 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -35816,6 +35816,41 @@ certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will
 contain a space-delimited list of renewed certificate domains (for
 example, @samp{"example.com www.example.com"}.

+@item @code{dry-run?} (default: @code{#f})
+Communicate with the ACME server but do not update certificates nor
+trigger @code{deploy-hook}.  This is useful as a temporary setting to
+test the challenge procedure, especially the @code{authentication-hook}
+and @code{cleanup-hook} while working on them.  It's also a good idea to
+use the Let's Encrypt staging server at
+@url{https://acme-staging-v02.api.letsencrypt.org/directory} while
+testing, which allows for higher rate limits, but with which
+@code{certbot} will helpfully refuse to update certificates and
+recommend the @code{dry-run?} option.  For example:
+
+@lisp
+(define %authentication-hook
+  (program-file "authentication-hook"
+    #~(let ((domain (getenv "CERTBOT_DOMAIN"))
+            (token (getenv "CERTBOT_TOKEN")))
+        (format #t "Hey, can you authenticate ~a with ~a for me?"
+                domain token))))
+
+(define %cleanup-hook
+  (program-file "authentication-hook"
+    #~(display "Bye")))
+
+(service certbot-service-type
+         (certbot-configuration
+          (server "https://acme-staging-v02.api.letsencrypt.org/directory")
+          (certificates
+           (list
+            (certificate-configuration
+              (dry-run? #t)
+              (authentication-hook %authentication-hook)
+              (cleanup-hook %cleanup-hook)
+              (domains '("example.net" "www.example.net")))))))
+@end lisp
+
@item @code{start-self-signed?} (default: @code{#t})
 Whether to generate an initial self-signed certificate during system
 activation.  This option is particularly useful to allow @code{nginx} to
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -66,6 +66,8 @@
                       (default #f))
  (deploy-hook         certificate-configuration-deploy-hook
                       (default #f))
+  (dry-run?            certbot-configuration-dry-run?
+                       (default #f))
  (start-self-signed?  certificate-configuration-start-self-signed?
                       (default #t)))

@@ -141,40 +143,44 @@ deploy."
              (match-lambda
                (($ <certificate-configuration> custom-name domains challenge
                                                csr authentication-hook
-                                                cleanup-hook deploy-hook)
-                 (let ((name (or custom-name (car domains))))
-                   (if challenge
-                     (append
-                      (list name certbot "certonly" "-n" "--agree-tos"
-                            "--manual"
-                            (string-append "--preferred-challenges=" challenge)
-                            "--cert-name" name
-                            "-d" (string-join domains ","))
-                      (if csr `("--csr" ,csr) '())
-                      (if email
-                          `("--email" ,email)
-                          '("--register-unsafely-without-email"))
-                      (if server `("--server" ,server) '())
-                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (if authentication-hook
-                          `("--manual-auth-hook" ,authentication-hook)
-                          '())
-                      (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
-                      (list "--deploy-hook"
-                            (certbot-deploy-hook name deploy-hook)))
-                     (append
-                      (list name certbot "certonly" "-n" "--agree-tos"
-                            "--webroot" "-w" webroot
-                            "--cert-name" name
-                            "-d" (string-join domains ","))
-                      (if csr `("--csr" ,csr) '())
-                      (if email
-                          `("--email" ,email)
-                          '("--register-unsafely-without-email"))
-                      (if server `("--server" ,server) '())
-                      (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
-                      (list "--deploy-hook"
-                            (certbot-deploy-hook name deploy-hook)))))))
+                                                cleanup-hook deploy-hook
+                                                dry-run?)
+                 (append
+                  (let ((name (or custom-name (car domains))))
+                    (if challenge
+                        (append
+                         (list name certbot "certonly" "-n" "--agree-tos"
+                               "--manual"
+                               (string-append "--preferred-challenges=" challenge)
+                               "--cert-name" name
+                               "-d" (string-join domains ","))
+                         (if csr `("--csr" ,csr) '())
+                         (if email
+                             `("--email" ,email)
+                             '("--register-unsafely-without-email"))
+                         (if server `("--server" ,server) '())
+                         (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                         (if authentication-hook
+                             `("--manual-auth-hook" ,authentication-hook)
+                             '())
+                         (if cleanup-hook `("--manual-cleanup-hook" ,cleanup-hook) '())
+                         (list "--deploy-hook"
+                               (certbot-deploy-hook name deploy-hook)))
+                        (append
+                         (list name certbot "certonly" "-n" "--agree-tos"
+                               "--webroot" "-w" webroot
+                               "--cert-name" name
+                               "-d" (string-join domains ","))
+                         (if csr `("--csr" ,csr) '())
+                         (if email
+                             `("--email" ,email)
+                             '("--register-unsafely-without-email"))
+                         (if server `("--server" ,server) '())
+                         (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '())
+                         (list "--deploy-hook"
+                               (certbot-deploy-hook name deploy-hook)))))
+                  ;; Common options.
+                  (if dry-run? '("--dry-run") '()))))
              certificates)))
       (program-file
        "certbot-command"