bug#68411: Timezone not detected from /etc/localtime
Hello, Distopico writes: > On 2024-01-18, Maxim Cournoyer wrote: > >> Hi, >> >> Distopico writes: >> >>> Apps such as Icecat or ungoogled-chromium are not able to get the >>> correct timezone from /etc/localtime when `/etc/localtime` is a realpath >>> maybe because it expect /etc/share/zoneinfo, with readlink partially >>> works fine some apps, maybe related with an icu bug.[1] >> >> I don't know about ungoogled-chromium, but for IceCat, I had >> investigated the problem at length in https://issues.guix.gnu.org/59368, >> and it seems the bug is not in ICU but in Firefox, triggered in very >> specific situations (resistFingerprinting defaults to true before user >> prefs are loaded, and resetting the timezone fails in some javascript >> that expects /etc/localtime to be a symlink, see: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1817004#c8). > > But in icecat there is tow issues, one is related with the > /etc/localtime that expect a symlink but also there is another one > related with firefox sandbox, you can see here that `/usr` and `/nix` > was added to a whitelist, those paths is where they expect have the > zoneinfo files and `/gnu` is not in that whitelist (I already reported > to firefox), and disabling `MOZ_DISABLE_CONTENT_SANDBOX=1` it and with > the symlink the timezone works again. In the meantime would you be able to produce a patch adding /gnu to their allowlist? Then we'd have to look into the javascript code to see if we can have it understand an actual file instead of symlink. -- Thanks, Maxim
bug#47217: generic-html updater does not work with sqlite package
Hi! Maxim Cournoyer skribis: > Ludovic Courtès writes: > >> Léo Le Bouter skribis: >> >>> + (properties >>> +`((release-monitoring-url . "https://sqlite.org/download.html;))) >> >> Unfortunately this page uses JavaScript. Without JS, you get: >> >> sqlite-autoconf-3350200.tar.gz(2.82 >> MiB) >> >> We’d need to find a web page that directly links to the tarball, but I >> can’t seem to find such a page. > > Since the SQLite website doesn't seem amenable to discover new releases, > perhaps we could switch the source to Git and let our git updater do its > magic? Switching the source to Git is probably a good idea but it has additional implications: it adds more dependencies, and there’s a risk of a cycle with ‘git-fetch’ for those using a daemon with builtin:git-download, although a quick check suggests we’re fine: --8<---cut here---start->8--- $ guix graph --path git-minimal sqlite guix graph: error: no path from 'git-minimal@2.41.0' to 'sqlite@3.42.0' --8<---cut here---end--->8--- Ludo’.
bug#68411: Timezone not detected from /etc/localtime
On 2024-01-18, Maxim Cournoyer wrote: > Hi, > > Distopico writes: > >> Apps such as Icecat or ungoogled-chromium are not able to get the >> correct timezone from /etc/localtime when `/etc/localtime` is a realpath >> maybe because it expect /etc/share/zoneinfo, with readlink partially >> works fine some apps, maybe related with an icu bug.[1] > > I don't know about ungoogled-chromium, but for IceCat, I had > investigated the problem at length in https://issues.guix.gnu.org/59368, > and it seems the bug is not in ICU but in Firefox, triggered in very > specific situations (resistFingerprinting defaults to true before user > prefs are loaded, and resetting the timezone fails in some javascript > that expects /etc/localtime to be a symlink, see: > https://bugzilla.mozilla.org/show_bug.cgi?id=1817004#c8). But in icecat there is tow issues, one is related with the /etc/localtime that expect a symlink but also there is another one related with firefox sandbox, you can see here that `/usr` and `/nix` was added to a whitelist, those paths is where they expect have the zoneinfo files and `/gnu` is not in that whitelist (I already reported to firefox), and disabling `MOZ_DISABLE_CONTENT_SANDBOX=1` it and with the symlink the timezone works again. signature.asc Description: PGP signature
bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs
On Wed, Jan 24 2024, Carlo Zancanaro wrote: + ;; Due to the way certbot runs, we need to + ;; create the self-signed certificates in the + ;; archive folder and symlink them into the live + ;; folder. This mimics what certbot does well + ;; enough to make acquiring new certificates + ;; work. Gah, this comment is from a previous iteration. It turns out it didn't work as well as I thought it did. I'm happy to update this comment, but I won't do that until I've heard back about the more substantive aspects of the change. I'm also happy for whoever merges this to change this comment appropriately.
bug#46961: [PATCH 0/2] Allow nginx to start before certbot has run
>From time to time people have issues with setting up a new system with certbot generating certificates for an nginx server. The issue is that nginx won't start without being able to load certificates, but certbot can't generate certificates (through the default HTTP challenge) without a running nginx server. Breaking this has generally required two reconfigures: one with nginx configured without loading certificates, and then a second reconfigure after running certbot to add the certificate configuration. This is a bit of a pain, so I've made Guix generate a self-signed certificate to allow nginx to start before certbot has run. Unfortunately, I couldn't put the certificates in the same location as certbot, because certbot is very particular about its directories not existing when it requests a certificate for the first time. Rather than try to convince it to do what I wanted, I opted to add another level of indirection and move certificates to /etc/certs/. This is backwards compatible, because the old /etc/letsenctypt/live/ is maintained by certbot. The only real difference is for the initial bootstrapping of a certificate. Carlo Zancanaro (2): services: certbot: Symlink certificates to /etc/certs services: certbot: Create self-signed certificates before certbot runs doc/guix.texi| 32 +-- gnu/services/certbot.scm | 86 ++-- 2 files changed, 102 insertions(+), 16 deletions(-) base-commit: ffc5fefce370f5fc01091869e13fdf525be1e0c0 -- 2.41.0
bug#46961: [PATCH 1/2] services: certbot: Symlink certificates to /etc/certs
* gnu/services/certbot.scm (certbot-deploy-hook): New procedure. (certbot-command): Pass new deploy hook to certbot. * doc/guix.texi: Replace "letsencrypt/live" with "certs" throughout. --- doc/guix.texi| 26 +- gnu/services/certbot.scm | 34 -- 2 files changed, 45 insertions(+), 15 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a6187690bb..2d43ab9a65 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43,7 +43,7 @@ Copyright @copyright{} 2017, 2018, 2019 Clément Lassieur@* Copyright @copyright{} 2017, 2018, 2020, 2021, 2022 Mathieu Othacehe@* Copyright @copyright{} 2017 Federico Beffa@* -Copyright @copyright{} 2017, 2018 Carlo Zancanaro@* +Copyright @copyright{} 2017, 2018, 2024 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@* @@ -28117,7 +28117,7 @@ Messaging Services them. See @url{https://prosody.im/doc/letsencrypt}. @example -prosodyctl --root cert import /etc/letsencrypt/live +prosodyctl --root cert import /etc/certs @end example The available configuration parameters follow. Each parameter @@ -28820,8 +28820,8 @@ Telephony Services (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins - (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") - (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem"))) + (ssl-cert "/etc/certs/mumble.example.com/fullchain.pem") + (ssl-key "/etc/certs/mumble.example.com/privkey.pem"))) @end lisp After reconfiguring your system, you can manually set the mumble-server @@ -28939,12 +28939,12 @@ Telephony Services File name of the SSL/TLS certificate used for encrypted connections. @lisp -(ssl-cert "/etc/letsencrypt/live/example.com/fullchain.pem") +(ssl-cert "/etc/certs/example.com/fullchain.pem") @end lisp @item @code{ssl-key} (default: @code{#f}) Filepath to the ssl private key used for encrypted connections. @lisp -(ssl-key "/etc/letsencrypt/live/example.com/privkey.pem") +(ssl-key "/etc/certs/example.com/privkey.pem") @end lisp @item @code{ssl-dh-params} (default: @code{#f}) @@ -32659,7 +32659,7 @@ Certificate Services Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable @code{$RENEWED_LINEAGE} will point to the config live subdirectory (for -example, @samp{"/etc/letsencrypt/live/example.com"}) containing the new +example, @samp{"/etc/certs/example.com"}) containing the new certificates and keys; the shell variable @code{$RENEWED_DOMAINS} will contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. @@ -32668,8 +32668,8 @@ Certificate Services @end deftp For each @code{certificate-configuration}, the certificate is saved to -@code{/etc/letsencrypt/live/@var{name}/fullchain.pem} and the key is -saved to @code{/etc/letsencrypt/live/@var{name}/privkey.pem}. +@code{/etc/certs/@var{name}/fullchain.pem} and the key is +saved to @code{/etc/certs/@var{name}/privkey.pem}. @node DNS Services @subsection DNS Services @cindex DNS (domain name system) @@ -37355,9 +37355,9 @@ Version Control Services (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate - "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") + "/etc/certs/git.my-host.org/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/git.my-host.org/privkey.pem") + "/etc/certs/git.my-host.org/privkey.pem") (locations (list (git-http-nginx-location-configuration @@ -38482,9 +38482,9 @@ Version Control Services (nginx-server-block (nginx-server-configuration (ssl-certificate - "/etc/letsencrypt/live/myweb.site/fullchain.pem") + "/etc/certs/myweb.site/fullchain.pem") (ssl-certificate-key - "/etc/letsencrypt/live/myweb.site/privkey.pem") + "/etc/certs/myweb.site/privkey.pem") (listen '("443 ssl http2" "[::]:443 ssl http2")) (locations (list diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0c45471659..58e709f8a4 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jack Hill ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2021 Raghav Gururajan +;;; Copyright © 2024 Carlo Zancanaro ;;; ;;; This file is part of GNU Guix. ;;; @@ -87,6 +88,35 @@ (define-record-type* (body (list "return 301 https://$host$request_uri;;))
bug#46961: [PATCH 2/2] services: certbot: Create self-signed certificates before certbot runs
* gnu/services/certbot.scm (): Add start-self-signed? field. (generate-certificate-gexp): New procedure. (certbot-activation): Generate self-signed certificates when start-self-signed? is #t. * doc/guix.texi (Certificate services): Document start-self-signed?. --- doc/guix.texi| 6 + gnu/services/certbot.scm | 56 +--- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 2d43ab9a65..15b256d0a3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32664,6 +32664,12 @@ Certificate Services contain a space-delimited list of renewed certificate domains (for example, @samp{"example.com www.example.com"}. +@item @code{start-self-signed?} (default: @code{#t}) +Whether to generate an initial self-signed certificate during system +activation. This option is particularly useful to allow @code{nginx} to +start before @code{certbot} has run, because @code{certbot} relies on +@code{nginx} running to perform HTTP challenges. + @end table @end deftp diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 58e709f8a4..bb321a1b50 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -64,7 +64,9 @@ (define-record-type* (cleanup-hookcertificate-cleanup-hook (default #f)) (deploy-hook certificate-configuration-deploy-hook - (default #f))) + (default #f)) + (start-self-signed? certificate-configuration-start-self-signed? + (default #t))) (define-record-type* certbot-configuration make-certbot-configuration @@ -91,7 +93,10 @@ (define-record-type* (define (certbot-deploy-hook name deploy-hook-script) "Returns a gexp which creates symlinks for privkey.pem and fullchain.pem from /etc/certs/NAME to /etc/letsenctypt/live/NAME. If DEPLOY-HOOK-SCRIPT is -not #f then it is run after the symlinks have been created." +not #f then it is run after the symlinks have been created. This wrapping is +necessary for certificates with start-self-signed? set to #t, as it will +overwrite the initial self-signed certificates upon the first successful +deploy." (program-file (string-append name "-deploy-hook") (with-imported-modules '((guix build utils)) @@ -108,7 +113,8 @@ (define (certbot-deploy-hook name deploy-hook-script) "/etc/letsencrypt/live/" name "/fullchain.pem") #$(string-append "/etc/certs/" name "/fullchain.pem.new")) - ;; Rename over the top of the old ones, if there are any. + ;; Rename over the top of the old ones, just in case they were the + ;; original self-signed certificates. (rename-file #$(string-append "/etc/certs/" name "/privkey.pem.new") #$(string-append "/etc/certs/" name "/privkey.pem")) (rename-file #$(string-append "/etc/certs/" name "/fullchain.pem.new") @@ -182,6 +188,44 @@ (define (certbot-renewal-jobs config) #~(job '(next-minute-from (next-hour '(0 12)) (list (random 60))) #$(certbot-command config +(define (generate-certificate-gexp certbot-cert-directory rsa-key-size) + (match-lambda +(($ name (primary-domain other-domains ...) challenge +csr authentication-hook +cleanup-hook deploy-hook) + (let (;; Arbitrary default subject, with just the + ;; right domain filled in. These values don't + ;; have any real significance. + (subject (string-append "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=" + primary-domain)) + (alt-names (if (null? other-domains) + #f + (format #f "subjectAltName=~{DNS:~a~^,~}" other-domains))) + (directory (string-append "/etc/certs/" (or name primary-domain + #~(begin + (use-modules (ice-9 format)) + (when (not (file-exists? #$directory)) + ;; Due to the way certbot runs, we need to + ;; create the self-signed certificates in the + ;; archive folder and symlink them into the live + ;; folder. This mimics what certbot does well + ;; enough to make acquiring new certificates + ;; work. + (mkdir-p #$directory) + (chmod #$directory #o755) + (invoke #$(file-append openssl "/bin/openssl") + "req" "-x509" + "-newkey" #$(string-append "rsa:" (or rsa-key-size "4096")) + "-keyout" #$(string-append directory "/privkey.pem") + "-out" #$(string-append directory "/fullchain.pem") + "-sha256" + "-days" "1" ; Only one day, because we expect certbot to run + "-nodes" + "-subj" #$subject +