services: certbot: Add option to use CSR file.

* gnu/services/certbot.scm (<certificate-configuration>): Add csr field.
(certbot-command): Modify.
* doc/guix.texi (Certificate Services): Document it.

2 files changed, 16 insertions, 2 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index 15e8999447..560d7af83f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -91,6 +91,7 @@ Copyright @copyright{} 2020 Edgar Vincent@*
 Copyright @copyright{} 2021 Maxime Devos@*
 Copyright @copyright{} 2021 B. Wilson@*
 Copyright @copyright{} 2021 Xinglu Chen@*
+Copyright @copyright{} 2021 Raghav Gururajan@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -25934,6 +25935,14 @@ the documentation at @url{https://certbot.eff.org/docs/using.html#hooks}),
 and gives Let's Encrypt permission to log the public IP address of the
 requesting machine.
 
+@item @code{csr} (default: @code{#f})
+File name of Certificate Signing Request (CSR) in DER or PEM format.
+If @code{#f} is specified, this argument will not be passed to certbot.
+If a value is specified, certbot will use it to obtain a certificate, instead of
+using a self-generated CSR.
+The domain-name(s) mentioned in @code{domains}, must be consistent with the
+domain-name(s) mentioned in CSR file.
+
 @item @code{authentication-hook} (default: @code{#f})
 Command to be run in a shell once for each certificate challenge to be
 answered.  For this command, the shell variable @code{$CERTBOT_DOMAIN}
diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm
index 1c67ff63f1..1c819bef48 100644
--- a/gnu/services/certbot.scm
+++ b/gnu/services/certbot.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2020 Jack Hill <jackhill@jackhill.us>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -55,6 +56,8 @@
                        (default '()))
   (challenge           certificate-configuration-challenge
                        (default #f))
+  (csr                 certificate-configuration-csr
+                       (default #f))
   (authentication-hook certificate-authentication-hook
                        (default #f))
   (cleanup-hook        certificate-cleanup-hook
@@ -94,8 +97,8 @@
              (map
               (match-lambda
                 (($ <certificate-configuration> custom-name domains challenge
-                                                authentication-hook cleanup-hook
-                                                deploy-hook)
+                                                csr authentication-hook
+                                                cleanup-hook deploy-hook)
                  (let ((name (or custom-name (car domains))))
                    (if challenge
                      (append
@@ -105,6 +108,7 @@
                             "--cert-name" name
                             "--manual-public-ip-logging-ok"
                             "-d" (string-join domains ","))
+                      (if csr `("--csr" ,csr) '())
                       (if email
                           `("--email" ,email)
                           '("--register-unsafely-without-email"))
@@ -120,6 +124,7 @@
                             "--webroot" "-w" webroot
                             "--cert-name" name
                             "-d" (string-join domains ","))
+                      (if csr `("--csr" ,csr) '())
                       (if email
                           `("--email" ,email)
                           '("--register-unsafely-without-email"))