Next: , Previous: , Up: Services   [Contents][Index] Certificate Services

The (gnu services certbot) module provides a service to automatically obtain a valid TLS certificate from the Let’s Encrypt certificate authority. These certificates can then be used to serve content securely over HTTPS or other TLS-based protocols, with the knowledge that the client will be able to verify the server’s authenticity.

Let’s Encrypt provides the certbot tool to automate the certification process. This tool first securely generates a key on the server. It then makes a request to the Let’s Encrypt certificate authority (CA) to sign the key. The CA checks that the request originates from the host in question by using a challenge-response protocol, requiring the server to provide its response over HTTP. If that protocol completes successfully, the CA signs the key, resulting in a certificate. That certificate is valid for a limited period of time, and therefore to continue to provide TLS services, the server needs to periodically ask the CA to renew its signature.

The certbot service automates this process: the initial key generation, the initial certification request to the Let’s Encrypt service, the web server challenge/response integration, writing the certificate to disk, and the automated periodic renewals.

Scheme Variable: certbot-service-type

A service type for the certbot Let’s Encrypt client.

Data Type: certbot-configuration

Data type representing the configuration of the certbot serice. This type has the following parameters:

package (default: certbot)

The certbot package to use.

webroot (default: /var/www)

The directory from which to serve the Let’s Encrypt challenge/response files.

hosts (default: ())

A list of hosts for which to generate certificates and request signatures.

default-location (default: see below)

The default nginx-location-configuration. Because certbot needs to be able to serve challenges and responses, it needs to be able to run a web server. It does so by extending the nginx web service with an nginx-server-configuration listening on the hosts on port 80, and which has a nginx-location-configuration for the /.well-known/ URI path subspace used by Let’s Encrypt. See Web Services, for more on these nginx configuration data types.

Requests to other URL paths will be matched by the default-location, which if present is added to all nginx-server-configurations.

By default, the default-location will issue a redirect from http://host/... to https://host/..., leaving you to define what to serve on your site via https.

Pass #f to not issue a default location.

The public key and its signatures will be written to /etc/letsencrypt/live/host/fullchain.pem, for each host in the configuration. The private key is written to /etc/letsencrypt/live/host/privkey.pem.

Next: , Previous: , Up: Services   [Contents][Index]