[PATCH] services: certbot: Add --manual-public-ip-logging-ok for manual challenges

DoneSubmitted by Carlo Zancanaro.
Details
2 participants
  • Carlo Zancanaro
  • Ludovic Courtès
Owner
unassigned
Severity
normal
C
C
Carlo Zancanaro wrote on 10 Aug 2019 15:08
(address . guix-patches@gnu.org)
87imr588wk.fsf@zancanaro.id.au
I recently tried to configure the certbot-service with the dns challenge type. It failed, because certbot tries to ask whether you're okay with letsencrypt knowing (and potentially logging) your IP address, but within an mcron task that just fails.
The solution is to add the --manual-public-ip-logging-ok flag, so here's a patch to do that!
From 4a888155261caba0c4e11f8515a271ba33b92bc6 Mon Sep 17 00:00:00 2001From: Carlo Zancanaro <carlo@zancanaro.id.au>Date: Sat, 10 Aug 2019 22:52:50 +1000Subject: [PATCH] services: certbot: Add --manual-public-ip-logging-ok for manual challenges
* gnu/services/certbot.scm (certbot-command): Add --manual-public-ip-logging-ok flag to the certbot command when doing a manual challenge.--- gnu/services/certbot.scm | 1 + 1 file changed, 1 insertion(+)
Toggle diff (14 lines)diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scmindex ae34ad17bb..0d3be03383 100644--- a/gnu/services/certbot.scm+++ b/gnu/services/certbot.scm@@ -99,6 +99,7 @@ "--manual" (string-append "--preferred-challenges=" challenge) "--cert-name" name+ "--manual-public-ip-logging-ok" "-d" (string-join domains ",")) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if authentication-hook-- 2.22.0
L
L
Ludovic Courtès wrote on 10 Sep 2019 23:54
(name . Carlo Zancanaro)(address . carlo@zancanaro.id.au)(address . 36998@debbugs.gnu.org)
87a7bb24x2.fsf@gnu.org
Hi Carlo,
Time flies…
Carlo Zancanaro <carlo@zancanaro.id.au> skribis:
Toggle quote (8 lines)> I recently tried to configure the certbot-service with the dns> challenge type. It failed, because certbot tries to ask whether you're> okay with letsencrypt knowing (and potentially logging) your IP> address, but within an mcron task that just fails.>> The solution is to add the --manual-public-ip-logging-ok flag, so> here's a patch to do that!
[...]
Toggle quote (9 lines)> --- a/gnu/services/certbot.scm> +++ b/gnu/services/certbot.scm> @@ -99,6 +99,7 @@> "--manual"> (string-append "--preferred-challenges=" challenge)> "--cert-name" name> + "--manual-public-ip-logging-ok"> "-d" (string-join domains ","))
Perhaps we should pass --manual-public-ip-logging-ok only when‘challenge’ has the expected value (DNS challenge type; what’s the valuefor that?), and also document that prominently in the manual?
Thanks,Ludo’.
C
C
Carlo Zancanaro wrote on 12 Sep 2019 13:20
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 36998@debbugs.gnu.org)
871rwloj60.fsf@zancanaro.id.au
Hey Ludo’,
On Wed, Sep 11 2019, Ludovic Courtès wrote:
Toggle quote (5 lines)> Perhaps we should pass --manual-public-ip-logging-ok only when > ‘challenge’ has the expected value (DNS challenge type; what’s > the value for that?), and also document that prominently in the > manual?
My understanding is that this flag is necessary for any manual challenge type, it's just that our default HTTP challenge doesn't use a "manual" challenge type. For a DNS challenge the value for challenge should be "dns".
I was a little torn about documenting it in the manual, because using the manual IP logging doesn't leak any more information than the standard HTTP challenge type. There is a certbot issue discussing the problem for manual challenges[1], and the problem is when one requests the certificate from a different machine to the one that will use the certificate. This doesn't seem to be the natural use case for the Guix certbot-service-type, so I didn't feel it was necessary to add it to the manual. I'm also fairly sure that the logged IPs are not publicly available at the moment, based on this[2] and this[3].
Given all of that, I have attached a patch with a small update to the manual. I don't think I'd describe it as "prominent", but it does mention it in an appropriate place.
Carlo
[1]: https://github.com/certbot/certbot/issues/991[2]: https://community.letsencrypt.org/t/public-logging-of-requesting-ip-addresses/64077[3]: https://community.letsencrypt.org/t/public-ip-logging/89712
From a2622f26474685378aad1b2dbf4fbcc66f14358e Mon Sep 17 00:00:00 2001From: Carlo Zancanaro <carlo@zancanaro.id.au>Date: Sat, 10 Aug 2019 22:52:50 +1000Subject: [PATCH] services: certbot: Add --manual-public-ip-logging-ok for manual challenges
* gnu/services/certbot.scm (certbot-command): Add --manual-public-ip-logging-ok flag to the certbot command when doing a manual challenge.--- doc/guix.texi | 4 +++- gnu/services/certbot.scm | 1 + 2 files changed, 4 insertions(+), 1 deletion(-)
Toggle diff (29 lines)diff --git a/doc/guix.texi b/doc/guix.texiindex 043851e418..9f550f65e1 100644--- a/doc/guix.texi+++ b/doc/guix.texi@@ -20146,7 +20146,9 @@ all domains will be Subject Alternative Names on the certificate. The challenge type that has to be run by certbot. If @code{#f} is specified, default to the HTTP challenge. If a value is specified, defaults to the manual plugin (see @code{authentication-hook}, @code{cleanup-hook} and-the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}).+the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),+and gives Let's Encrypt permission to log the public IP address of the+requesting machine. @item @code{authentication-hook} (default: @code{#f}) Command to be run in a shell once for each certificate challenge to bediff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scmindex ae34ad17bb..0d3be03383 100644--- a/gnu/services/certbot.scm+++ b/gnu/services/certbot.scm@@ -99,6 +99,7 @@ "--manual" (string-append "--preferred-challenges=" challenge) "--cert-name" name+ "--manual-public-ip-logging-ok" "-d" (string-join domains ",")) (if rsa-key-size `("--rsa-key-size" ,rsa-key-size) '()) (if authentication-hook-- 2.23.0
L
L
Ludovic Courtès wrote on 16 Sep 2019 10:23
(name . Carlo Zancanaro)(address . carlo@zancanaro.id.au)(address . 36998-done@debbugs.gnu.org)
875zlsejkl.fsf@gnu.org
Hi Carlo,
Carlo Zancanaro <carlo@zancanaro.id.au> skribis:
Toggle quote (14 lines)> On Wed, Sep 11 2019, Ludovic Courtès wrote:>> Perhaps we should pass --manual-public-ip-logging-ok only when>> ‘challenge’ has the expected value (DNS challenge type; what’s the>> value for that?), and also document that prominently in the manual?>> My understanding is that this flag is necessary for any manual> challenge type, it's just that our default HTTP challenge doesn't use> a "manual" challenge type. For a DNS challenge the value for challenge> should be "dns".>> I was a little torn about documenting it in the manual, because using> the manual IP logging doesn't leak any more information than the> standard HTTP challenge type.
True. The only difference is that the Let’s Encrypt operatorsexplicitly state that they will log the IP address in this case, whereasthey may not do it otherwise.
Toggle quote (12 lines)> There is a certbot issue discussing the problem for manual> challenges[1], and the problem is when one requests the certificate> from a different machine to the one that will use the> certificate. This doesn't seem to be the natural use case for the Guix> certbot-service-type, so I didn't feel it was necessary to add it to> the manual. I'm also fairly sure that the logged IPs are not publicly> available at the moment, based on this[2] and this[3].>> Given all of that, I have attached a patch with a small update to the> manual. I don't think I'd describe it as "prominent", but it does> mention it in an appropriate place.
Yeah, there wasn’t any reaction, so it’s probably good enough. I’veapplied it now, thank you!
Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 36998@debbugs.gnu.org