!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

107 Members
Another day, another cert renewal47 Servers

Load older messages


SenderMessageTime
10 Jan 2022
@winterqt:nixos.devWinter (she/her)In terms of time20:35:07
@m1cr0man:m1cr0man.comm1cr0manIt'd be nice if there was some automation to it, like if two members of the target team approve it, it gets merged20:36:08
@winterqt:nixos.devWinter (she/her) Not a bad idea
~~RFC time?~~
20:39:20
@hexa:lossy.networkhexa
In reply to @winterqt:nixos.dev
it was not my intention at all to come off as pushy or demanding or anything like that, as I fear I may be coming off as
don't worry about it, I think its just fair to let you know my boundaries in return. does that sound ok?
20:39:45
@hexa:lossy.networkhexalike nixpkgs commiters are few in numbers given the amount of changes we need to review, so it's a mess anyway20:40:24
@winterqt:nixos.devWinter (she/her)
In reply to @hexa:lossy.network
don't worry about it, I think its just fair to let you know my boundaries in return. does that sound ok?
that’s completely fine yeah, i can’t even begin to fathom how much work it is
20:44:56
@m1cr0man:m1cr0man.comm1cr0man
In reply to @winterqt:nixos.dev
Not a bad idea
~~RFC time?~~
painful effort noises
20:46:45
@hexa:lossy.networkhexaI think we need to talk about maintainer expectations first20:47:17
@winterqt:nixos.devWinter (she/her)What maintainers are you talking about specifically?20:57:54
@winterqt:nixos.devWinter (she/her)Like, module maintainers, nixpkgs commiters?20:58:03
@hexa:lossy.networkhexapackage, module and test maintainers 21:02:27
@hexa:lossy.networkhexabasically committing to something and saying when you can no longer fulfill that committment21:02:58
@winterqt:nixos.devWinter (she/her)ah21:28:11
20 Jan 2022
@andi:kack.itandi- left the room.08:30:51
24 Jan 2022
@m1cr0man:m1cr0man.comm1cr0man Wrt https://github.com/NixOS/nixpkgs/pull/156562 is this a concern? Warning: a test defined in passthru.tests did not pass The passthru test is the acme test. 20:38:04
@hexa:lossy.networkhexathey were built by ofborg20:39:18
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/runs/492583159320:39:35
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/runs/492585819020:39:45
@m1cr0man:m1cr0man.comm1cr0manah awesome ok :) 20:41:39
@winterqt:nixos.devWinter (she/her)I wonder why r-ryantm failed but not OfBorg 🤔20:59:30
@m1cr0man:m1cr0man.comm1cr0manIf it's acme test pseudo-randomness, I was really under the impression I had fixed all that 😢21:01:46
27 Jan 2022
@m1cr0man:m1cr0man.comm1cr0manSo I hear LE is about to nuke some certs. https://www.theregister.com/2022/01/26/lets_encrypt_certificates/ this shouldn't affect most NixOS users since you'd have to really get into the weeds to configure TLS-ALPN-01 validation12:41:26
31 Jan 2022
@winterqt:nixos.devWinter (she/her) in renewService, why is network-online.target in wants and after, but network.target isn't in wants (but is in after)? 03:22:33
@winterqt:nixos.devWinter (she/her)any reason?03:22:36
@arianvp:matrix.orgArianThere is no point in actively pulling in network.target. see https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/10:05:42
@arianvp:matrix.orgArianBut we can probably remove the network.target altogether if network-online.target is used10:06:30
2 Mar 2022
@iclanzan:matrix.orgiclanzan

I’ve upgraded NixOS to a recent commit from unstable and ACME is not working anymore. All I see in the logs is:

Failed to start Renew ACME certificate for example.com.
acme-example.com.service: Failed to load environment files: No such file or directory
acme-example.com.service: Failed to run 'start' task: No such file or directory
acme-example.com.service: Failed with result 'resources'.

over and over again. (I replaced my actual domain with example.com)
I am using the cloudflare DNS challenge .

Does anyone have any pointers as to how I could debug this?

01:01:25
@hexa:lossy.networkhexastart looking at the systemd unit09:33:15
@hexa:lossy.networkhexalook for what paths are actually missing09:33:26
4 Mar 2022
@winterqt:nixos.devWinter (she/her)

m1cr0man: so do you remember #153942? i didn't notice it at the time but the issue that it solved may be able to be made redundant.

https://github.com/NixOS/nixpkgs/commit/81a67a3353b09c0abade5f2d17e91d23873fc7fb added SupplementalGroups=acme if ACME certs are used to the Caddy service, which gives the Caddy service access to the certs mo matter what group the Caddy service user is a part of. (In fact, I think my assertions made it so you'd have to add the acme group to the caddy user, even if it would work fine without it due to SupplementalGroups, whoops.)

I think we can make this change across the board, and (potentially) remove the assertions? Let me know what you think.

19:34:56

Show newer messages


Back to Room ListRoom Version: 6