NixOS ACME / LetsEncrypt

84 Members
Another day, another cert renewal42 Servers

Load older messages

23 Feb 2023
@raitobezarius:matrix.orgraitobezariusHm no reload keeps the existing ones *05:04:40
4 Mar 2023

I have a NixOS test using curl to test TLS-related stuff:

webserver # * Server certificate:
webserver # *  subject: CN=*.test.nix
webserver # *  start date: Jan 30 03:41:18 2023 GMT
webserver # *  expire date: Jan 30 03:41:18 2043 GMT
webserver # *  subjectAltName does not match direct.noproxy.test.nix
webserver # * SSL: no alternative certificate subject name matches target host name 'direct.noproxy.test.nix'

I am using ACME snakeoil certs, but for some reason, my wildcard cert with CN=.test.nix and SAN=[.test.nix] is not considered as valid by curl, though openssl -showcerts -connect validates the chain properly… (I used security.pki.certificateFiles)

@raitobezarius:matrix.orgraitobezarius Does anyone understand how I can get curl to debug this or is it an instance of curl failing because the CN contain * and this is not really allowed? 19:42:06
@raitobezarius:matrix.orgraitobezariusIt seems like minica is doing this and I have no real control over this19:42:14
@raitobezarius:matrix.orgraitobezarius CN=*.test.nix and SAN=[*.test.nix] * 19:44:03
@m1cr0man:m1cr0man.comm1cr0manhave you passed the snakeoil root CA into the CA bundle for curl?20:01:33
@m1cr0man:m1cr0man.comm1cr0manoh wait I see what's wrong - you actually can't use a wildcard for 2+ nested domains20:01:51
@m1cr0man:m1cr0man.comm1cr0mannoproxy.test.nix would work, direct-noproxy.test.nix would also work, but what you have is invalid, you would need a wildcard for that subdomain20:02:16
@raitobezarius:matrix.orgraitobezarius Thanks m1cr0man:! 22:53:21
@m1cr0man:m1cr0man.comm1cr0manNo bother! :) 22:53:36
6 Mar 2023
@hexa:lossy.networkhexaon unstable-small08:15:41


@hexa:lossy.networkhexa *

Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"

@m1cr0man:m1cr0man.comm1cr0manAmazing thank you for catching that11:25:34
@hexa:lossy.networkhexathe log is gone20:16:52
@hexa:lossy.networkhexaI'm stupid20:16:57
@hexa:lossy.networkhexashould've dumped it20:17:00
15 Mar 2023
@m1cr0man:m1cr0man.comm1cr0manthat one line is literally all I should need to reproduce it :) 20:37:07
24 Mar 2023
@hexa:lossy.networkhexaReliability via Automated Renewal Information - https://letsencrypt.org/2023/03/23/improving-resliiency-and-reliability-with-ari.html22:18:45
25 Mar 2023
@m1cr0man:m1cr0man.comm1cr0manYeah so that's interesting. We do an offline check to get around an issue where ACME would fail in containers that didn't have networking at startup. THere's an old (closed) issue about it lying around, I could probably find it through the git blame. Other than that, we do invoke lego to check renewal and that (as found during that same ticket) already does some online check. I think this is mostly a no-op for us, we already support it as best we can but we kinda need to keep the offline check to avoid that old bug.19:28:56
@m1cr0man:m1cr0man.comm1cr0manhttps://github.com/NixOS/nixpkgs/issues/85794 fixed via https://github.com/NixOS/nixpkgs/pull/114752 19:29:40
@m1cr0man:m1cr0man.comm1cr0manwhat would be really nice is if I would hurry my ass up and PR some sort of offline-ok check into lego renew so we can remove all our custom logic19:30:23
5 Apr 2023
@redstone-menace:matrix.orgredstone-menace joined the room.05:51:14
6 Apr 2023
@kadawee:cat.casakadawee joined the room.01:02:12
12 Apr 2023
@errisnotnil:matrix.orgYuddite G joined the room.09:12:01
16 Apr 2023
@errisnotnil:matrix.orgYuddite G changed their profile picture.23:09:28
26 Apr 2023
@errisnotnil:matrix.orgYuddite G changed their display name from Yuddite Pilot to Yuddite Groyper.04:49:18
@errisnotnil:matrix.orgYuddite G changed their display name from Yuddite Groyper to Yuddite G.21:02:56

There are no newer messages yet.

Back to Room ListRoom Version: 6