I’m trying to set up HTTPS and Radicale (WebDAV) on my home server. The current config builds, but TLS certs fail to generate. @fade and @ashraz said to post here.
Please share the generated config, and also the error you have. Also, if possible, share the parts of your configuration that allow us to reproduce the issue (and those parts only).[1]
I’m kinda channeling my StackOverflow persona here, but a minimal, complete, reproducible example is important for both helping you, as well as helping future visitors. ↩︎
Where are the generated configs?
Stripped system config:
(use-modules (gnu)
(guix packages)
(guix build-system copy)
(gnu packages web))
(use-service-modules mail shepherd certbot web dbus docker cups desktop networking ssh xorg)
(operating-system
(locale "en_US.utf8")
(timezone "America/Chicago")
(keyboard-layout (keyboard-layout "us"))
(host-name "farnsworth")
;; The list of user accounts ('root' is implicit).
(users (cons* (user-account
(name "caleb")
(comment "Caleb Herbert")
(group "users")
(home-directory "/home/caleb")
(supplementary-groups '("wheel" "netdev" "audio" "video")))
%base-user-accounts))
;; Packages installed system-wide. Users can also install packages
;; under their own account: use 'guix search KEYWORD' to search
;; for packages and 'guix install PACKAGE' to install a package.
(packages
(append
(map specification->package
'(
"bc"
"tmux"
))
%base-packages))
;; Below is the list of system services. To search for available
;; services, run 'guix system search KEYWORD' in a terminal.
(services
(append (list
;; WebDAV - Contacts, calendar, files
(service radicale-service-type
(radicale-configuration
(web-interface? #f)
(auth (radicale-auth-configuration
(type 'htpasswd)
(htpasswd-encryption 'bcrypt)
;; File is created manually using htpasswd
;; Like:
;; guix shell httpd -- htpasswd -B -c radicale-users caleb
(htpasswd-filename "/etc/radicale/users")))))
(simple-service 'radicale-nginx nginx-service-type
(list (nginx-server-configuration
(listen '("443 ssl"))
(server-name '("dav.calebh.top"))
(ssl-certificate
"/etc/letsencrypt/live/calebh.top/fullchain.pem")
(ssl-certificate-key
"/etc/letsencrypt/live/calebh.top/privkey.pem")
(locations
(list (nginx-location-configuration
(uri "/")
(body
(list
"proxy_pass
http://127.0.0.1:5232/;";
"proxy_pass_header
Authorization;"
"proxy_set_header Host $host;"
"proxy_set_header X-Forwarded-
For $proxy_add_x_forwarded_for;"
"proxy_set_header X-Forwarded-
Proto $scheme;"
"proxy_set_header X-Script-Name
\"\";"))))))))
;; Website
(service nginx-service-type
(nginx-configuration
(server-blocks
(list
(nginx-server-configuration
(listen '("443 ssl"))
(server-name '("calebh.top"))
(root "/srv/http/calebh.top")
(ssl-certificate "/etc/letsencrypt/live/calebh.top/fullchain.pem")
(ssl-certificate-key "/etc/letsencrypt/live/calebh.top/privkey.pem"))))))
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
(name "calebh.top")
(domains '("calebh.top")))))))
;; To configure OpenSSH, pass an 'openssh-configuration'
;; record as a second argument to 'service' below.
(service openssh-service-type)
(service tor-service-type)
(service dhcpcd-service-type)
(service ntp-service-type))
%base-services))
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets (list "/dev/sda"))
(keyboard-layout keyboard-layout)))
(swap-devices (list (swap-space
(target (uuid
"889ebe1e-508b-44b8-8a98-e87adf6f25ca")))))
(file-systems (cons* (file-system
(mount-point "/boot/efi")
(device (uuid "8752-E079"
'fat32))
(type "vfat"))
(file-system
(mount-point "/")
(device (uuid
"d979d3e7-576e-4405-82c0-f54c95b41c6f"
'ext4))
(type "ext4")) %base-file-systems)))
Command:
sudo guix system reconfigure --substitute-urls="https://bordeaux-us-east-mirror.cbaines.net/" Configs/guix/.config/guix/system/farnsworth.scm
Output:
caleb@farnsworth ~/.dotfiles$ sudo guix system reconfigure --substitute-urls="https://bordeaux-us-east-mirror.cbaines.net/" Configs/guix/.config/guix/
system/farnsworth.scm
e[?2004l
Password:
e[1;35mThe following derivation will be built:
e[0m e[2m/gnu/store/kcwg7cldixmv9a3xf75qls54xm0iwx0b-e[0mgrub.cfg.drv
e[1me[0m
e[Kbuilding /gnu/store/kcwg7cldixmv9a3xf75qls54xm0iwx0b-grub.cfg.drv...
e[K/gnu/store/xpyazpn5dfy04yrr0420fgn2rp1hqp25-system
/gnu/store/07cfcy8ivzsphzzj7ygscjcpawz708q4-grub.cfg
activating system...
making '/var/guix/profiles/system-6-link' the current system...
populating /etc from /gnu/store/vq952bxqnjp3mkn0f6jn979g6ihlzyjz-etc...
setting up privileged programs in '/run/privileged/bin'...
creating nginx log directory '/var/log/nginx'
creating nginx run directory '/var/run/nginx'
creating nginx temp directories '/var/run/nginx/{client_body,proxy,fastcgi,uwsgi,scgi}_temp'
nginx: [emerg] invalid number of arguments in "proxy_set_header" directive in /gnu/store/pvmy8qcj7q1y42iin0ixc836zndmd2qc-nginx.conf:57
nginx: configuration file /gnu/store/pvmy8qcj7q1y42iin0ixc836zndmd2qc-nginx.conf test failed
e[1me[0me[1;35mThe following derivation will be built:
e[0m e[2m/gnu/store/8zpzri4v6xabfpad16kl2bnhp6hg9hlr-e[0minstall-bootloader.scm.drv
e[1me[0m
e[Kbuilding /gnu/store/8zpzri4v6xabfpad16kl2bnhp6hg9hlr-install-bootloader.scm.drv...
e[Kguix system: e[1me[0mbootloader successfully installed on '(/dev/sda)'
e[1me[0me[1;35mThe following derivation will be built:
e[0m e[2m/gnu/store/nbdcp2z6klzcjmmgmi43bxsf6sp68dfg-e[0mupgrade-shepherd-services.scm.drv
e[1me[0m
e[Kbuilding /gnu/store/nbdcp2z6klzcjmmgmi43bxsf6sp68dfg-upgrade-shepherd-services.scm.drv...
e[Kshepherd: Starting service host-name...
shepherd: Service host-name started.
shepherd: Service host-name running with value "farnsworth".
shepherd: Service host-name has been started.
shepherd: Starting service user-homes...
shepherd: Service user-homes has been started.
shepherd: Starting service sysctl...
shepherd: Service sysctl has been started.
shepherd: Service user-homes has been started.
shepherd: Starting service guix-ownership...
shepherd: Service guix-ownership has been started.
shepherd: Service user-homes has been started.
shepherd: Starting service renew-certbot-certificates...
shepherd: Service renew-certbot-certificates has been started.
To complete the upgrade, run 'herd restart SERVICE' to stop,
upgrade, and restart each service that was not automatically restarted.
Run 'herd status' to view the list of services on your system.
e[1me[0mWARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
guix system: e[1me[0msystem loaded for fast reboot with 'reboot --kexec'
guix system: e[1;35mwarning: e[0monly 2.6 GiB of free space available on /gnu/store
e[1;36mhint: e[0mConsider deleting old profile generations and collecting garbage, along these lines:
guix gc --delete-generations=1m
Added
(domains '("calebh.top" "dav.calebh.top"))
Selected messages from reconfigure:
nginx: configuration file /gnu/store/6w25jm2zkgxnhq0yld9mrb6n1hyvvrgp-nginx.conf test failed
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
Contents of nginx.conf:
user nginx nginx;
pid /var/run/nginx/pid;
error_log /var/log/nginx/error.log error;
events { }
http {
client_body_temp_path /var/run/nginx/client_body_temp;
proxy_temp_path /var/run/nginx/proxy_temp;
fastcgi_temp_path /var/run/nginx/fastcgi_temp;
uwsgi_temp_path /var/run/nginx/uwsgi_temp;
scgi_temp_path /var/run/nginx/scgi_temp;
access_log /var/log/nginx/access.log combined;
include /gnu/store/n9d49whvb6fxjhx5nzkk9jch9bkbphsz-nginx-1.28.0/share/nginx/conf/mime.types;
server {
listen 443 ssl;
server_name calebh.top ;
ssl_certificate /etc/letsencrypt/live/calebh.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/calebh.top/privkey.pem;
root /srv/http/calebh.top;
index index.html ;
server_tokens off;
}
server {
listen 80;
listen [::]:80;
server_name calebh.top dav.calebh.top ;
root /srv/http;
index index.html ;
server_tokens off;
location /.well-known {
root /var/www;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name dav.calebh.top ;
ssl_certificate /etc/letsencrypt/live/calebh.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/calebh.top/privkey.pem;
root /srv/http;
index index.html ;
server_tokens off;
location / {
proxy_pass
http://127.0.0.1:5232/;
proxy_pass_header
Authorization;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-
For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-
Proto $scheme;
proxy_set_header X-Script-Name
"";
}
}
}
Well, there’s your issue. The calebh.top certificate is only valid for calebh.top. Either add both names to a single certificate:
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
(name "calebh.top")
(domains '("calebh.top" "dav.calebh.top")))))))
or generate two:
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
(name "calebh.top")
(domains '("calebh.top")))
(certificate-configuration
(domains '("dav.calebh.top")))))))
For more information, see Certificate Services (GNU Guix Reference Manual) .
1 Like
Also, about that: your configuration has broken lines.
This
(list (nginx-location-configuration
(uri "/")
(body
(list
"proxy_pass
http://127.0.0.1:5232/;";
"proxy_pass_header
Authorization;"
"proxy_set_header Host $host;"
"proxy_set_header X-Forwarded-
For $proxy_add_x_forwarded_for;"
"proxy_set_header X-Forwarded-
Proto $scheme;"
"proxy_set_header X-Script-Name
\"\";"))))))))
Should be
(list (nginx-location-configuration
(uri "/")
(body
(list
"proxy_pass http://127.0.0.1:5232/;";
"proxy_pass_header Authorization;"
"proxy_set_header Host $host;"
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
"proxy_set_header X-Forwarded-Proto $scheme;"
"proxy_set_header X-Script-Name \"\";"))))))))
(The newlines within the options are breaking nginx)
Please fix the indentation of your configuration for your own sake 
1 Like
Fixed indentation and added dav.calebh.top to domains. It seems to be building fine. I’ll test it some more when I get home. This may be the solution.