Last-Modified: 2023-03-21T17:38:48+00:00


SPDX-License-Identifier: CC0-1.0
SPDX-FileCopyrightText: 2023 Bruno Victal


                               Tackling the certbot problem


** blurb the problem **



** blurb control flow **

certbot-service-type consists of:

* shepherd-service-extension
  * Dummy HTTP server for http-challenge.  [ conditional ]
    This is only added iff http-challenge exists.
    !!! It has to shutdown the other http server though....
    unless it agrees to extend itself (i.e. this dummy only runs once
    at reconfigure time, boot time or if no cert is available.


The main certbot users, i.e. nginx-service-type, etc. will have to put
a dependency on this service.
    

# Solution I: Generalized ACME service.


Abstract the backends away by using an acme-service-type front that
is responsible for coordinating what backends to use.

This could be accomplished in multiple ways:
  * A homegrown ACME client in Guile.
  * Mix of ACME clients, such as certbot + dehydrated, since TLS-ALPN-01 is
  unavailable with certbot.
  * Any AIO ACME client. (which one?)


# Solution II: Subset HTTP-01 challenge into HTTP-01-IPv6 / HTTP-01-shared


## HTTP-01-IPv6

Assigns either a user-specified IP, a DHCPv6 one using a user-specified DUID or
automatically generates one using SLAAC.

In the DHCPv6 case, the DUID should be different from the one “normally used” as
we want an IP that is “free”. Using DHCPv6 also makes it easier to manage the
network firewalling policies.

In the SLAAC case, it might be useful to have PCP / UPnP integration for firewall
auto-configuration.


## HTTP-01-shared

The present case with guix, extend nginx with a location.


## OR: additional HTTP-01-shared-forced  // better names requested

Forcefully shuts web-server down, renews and brings it back up.