| 17 Aug 2021 |
 @grahamc:nixos.org | I also wonder if there is a good way to communicate that extraLegoFlags isn't the same as adding the same value to bothextraLegoRunFlags and extraLegoRenewFlags (position in the command is different) my naive reading of the options left me thinking it would be the same | 20:38:09 |
| @grahamc:nixos.org | For some backstory I needed to add "--preferred-chain" "ISRG Root X1" to extraLegoRunFlags to get an ipxe-compatible certificate a few months ago. A couple days ago the certificate was renewed without that flag, so I moved it from extraLegoRunFlags to extraLegoFlags -- this didn't work, so then I copied the block and added it to both Run and Renew. To make it stick, I rm -rf'd the acme directory because in the past I've had a hard time making it do what I expected by deleting anything less. | 20:42:28 |
| 3 Sep 2021 |
|  mbprtpmnr joined the room. | 04:07:41 |
| 5 Sep 2021 |
|  ilkecan joined the room. | 13:04:05 |
| 6 Sep 2021 |
| mbprtpmnr | Hi everyone. | 06:16:08 |
| 17 Sep 2021 |
|  pinecamp joined the room. | 02:26:32 |
| 24 Sep 2021 |
 hexa | https://github.com/NixOS/nixpkgs/pull/139311 | 13:21:37 |
| hexa | fallout from the hardening changes | 13:21:50 |
| 25 Sep 2021 |
|  sugi joined the room. | 15:03:27 |
| 30 Sep 2021 |
|  Robby O'Connor joined the room. | 01:17:56 |
| Robby O'Connor left the room. | 05:50:09 |
| 4 Oct 2021 |
 aanderse | any chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody
i don't have many details, sorry, short on time | 12:11:11 |
| hexa | I don't believe so | 12:14:30 |
| hexa | the reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid | 12:15:53 |
| hexa | * the reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid, well | 12:16:15 |
| hexa | there is certainly a way to get your server cert without the cross-signing (isrg x1 root only) | 12:16:50 |
| hexa | but you are trading breakages in one way or another | 12:17:09 |
| aanderse | in this specific example i have a single cert for a single domain - i load that cert into prosody, then when trying to connect with my jabber client i get "The certificate chain presented is invalid." | 12:20:16 |
| hexa |
--preferred-chain="ISRG Root X1"
| 12:20:31 |
| aanderse | like i said... low on time, so i really appreciate the quick save | 12:21:42 |
| aanderse | just moved... it has been a self inflicted nightmare 😉 | 12:21:57 |
 Dandellion | I have the following nginx configuration for one of my services:
services.nginx.virtualHosts."hydrus.dodsorf.as" = {
enableACME = true;
onlySSL = true;
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "hydrus.dodsorf.as:443"}'
'';
extraConfig = ''
default_type application/json;
'';
};
locations."~ ^/_matrix/media/r0/download/hydrus.dodsorf.as/(?<sha>[A-Fa-f0-9]+)" = {
proxyPass = "http://192.168.10.50:45869/get_files/file?hash=$sha";
extraConfig = ''
proxy_set_header Hydrus-Client-API-Access-Key <some-key>;
'';
};
};
which for some reason fails with
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Could not find solver for: tls-alpn-01
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: use http-01 solver
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Trying to solve HTTP-01
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/36912141660
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 error: one or more domains had a problem:
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: [hydrus.dodsorf.as] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://hydrus.dodsorf.as/.well-known/acme-challenge/pxMFKnR4CI8fzgQzwoeXYDegD-Beb3zVJW9sdbd4pB0 [51.174.193.44]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
Does someone here know of the top of your head why?
| 12:26:40 |
| hexa | some location block shadowing the webroot? | 12:29:23 |
| aanderse | hexa: your suggestion was to add this to my security.acme.certs."example.org" configuration, right?
extraLegoRunFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
extraLegoRenewFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
| 12:36:29 |
| hexa | something along those lines | 12:36:44 |
| hexa | isn't that basically extraLegoFlags if you are adding it to both? | 12:36:56 |
| aanderse | extraLegoFlags complained the flag didn't exist | 12:37:09 |
| hexa | then it might be run only | 12:37:18 |
| aanderse | i put it in run and renew and i got my cert | 12:37:45 |
| aanderse | but pidgin still complains | 12:37:49 |
