[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#29467] [PATCH] web: Don't error about missing ssl related files.

From: julien lepiller
Subject: [bug#29467] [PATCH] web: Don't error about missing ssl related files.
Date: Tue, 05 Dec 2017 12:23:39 +0100
User-agent: Roundcube Webmail/1.3.3

Le 2017-12-05 12:14, address@hidden a écrit :

julien lepiller <address@hidden> skribis:

Le 2017-11-27 09:26, Christopher Baines a écrit :
Erroring here prevents doing things like building a system using
nginx on a
different machine from where it's intended to be deployed, or creating
containers and VMs that use the ssl-certificate parts of the nginx
configuration, without also getting these files to exist.

* gnu/services/web.scm (emit-nginx-server-config): Don't error on
missing ssl
  related files.
 gnu/services/web.scm | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 9d713003c..1af32278c 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -191,16 +191,6 @@ of index files."
             (syntax-parameterize ((<> (identifier-syntax x*)))
               (list tail ...))
-    (for-each
-     (match-lambda
-      ((record-key . file)
-       (if (and file (not (file-exists? file)))

There’s another problem: ‘file-exists?’ checks the current machine,
under the current root file system.  That check doesn’t work if you do
“guix system init config.scm /some/other/root”, or if you create a
container, or with the envisioned “guix system reconfigure --remote”.

Hi, when configuring nginx for the first time, users will probably
forget to
configure ssl properly. The default is to enable ssl and find
certificates in
/etc/nginx. When these files don't exist, nginx will fail to start and
at least
one user complained it was hard to debug. This code was introduced to
such a mistake.

Yes, I agree that it’s nice to have early error reports.

Maybe we should set the default to #f (but then users would have to
more fields to enable https). Maybe we should add a configuration
option like
warn-only? (default to #f) to only warn about missing files. Or maybe
a way to show nginx that another service is providing that file?

Good questions.

We cannot check for file existence at configuration time for the reasons

We cannot check for file existence at build time because certificates
may be part of the machine’s state; they are typically managed in a
stateful fashion, outside of GuixSD.

So the only option we’re left with is checking at run time, when we
start the service.  But that’s something nginx already does, I think?

As for the default, I would be in favor of setting it to #f, because I
can’t really think of a default that would work for everyone.


Having it default to #f is fine with me. Nginx does this check at runtime
and will refuse to start if these files are missing. Keeping https-port
to 443 and certificates to #f means it will not be able to establish a
connection to the client, but the http website will be available. So just
setting the key and the certificate to #f by default should be OK.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]