| 8 Jan 2022 |
 m1cr0man | not I'm not assuming the acme group was used for the cert, even. I can imagine someone assigning a group at some stage, later needing to use the certs for another service, and assigning that new service's user to whatever group was assigned to the cert (aka, being lazy and not standardising on the acme group) | 16:15:59 |
 Winter (she/her) | Oh, that’s… much simpler than what I was thinking. | 16:18:27 |
| Winter (she/her) | I have absolutely no clue how I didn’t think of that 🤦♀️ | 16:18:41 |
| Winter (she/her) | Sorry about that | 16:18:49 |
| Winter (she/her) | * Oh, that’s… much simpler than what I was thinking (and much more obvious). | 16:19:18 |
| Winter (she/her) | * Sorry about that! | 16:19:27 |
| m1cr0man | Hah no bother! 😅 I mean, it's not that simple really, there's a lot of nesting there, and a lot of background info required | 17:01:36 |
| m1cr0man | Winter (she/her) sorry meant to approve that earlier in the night but done now, nice job | 23:04:53 |
| Winter (she/her) | you did half of the work tbh, but thanks! | 23:05:18 |
| 9 Jan 2022 |
| m1cr0man | Aaaand I'm finally using wildcard certs for my own domain, lol. It sounds kinda bad given I maintain it, but really I was maintaining a much larger system using acme + DNS challenges up until last year | 01:20:40 |
| 10 Jan 2022 |
| m1cr0man | whOOOps. I was today years old when I learned that a wildcard cert would not actually cover the root of the domain :P Matrix synapse silently broke overnight, since everyone started rejecting my domain | 19:24:44 |
| Winter (she/her) | Oh yeah I learned that too lol, I just changed to adding the wildcard to extraDomains and keeping it named the root domain | 19:40:37 |
| Winter (she/her) | Very fun | 19:40:43 |
 hexa | In reply to @m1cr0man:m1cr0man.com
whOOOps. I was today years old when I learned that a wildcard cert would not actually cover the root of the domain :P Matrix synapse silently broke overnight, since everyone started rejecting my domain you mean … the origin? | 20:11:18 |
| hexa | fwiw, *.example.com cannot be the common name, and therefore not the only SAN | 20:11:41 |
| hexa | so I added example.com | 20:11:51 |
| hexa | how did you get around that limitation? | 20:12:01 |
| Winter (she/her) | In reply to @hexa:lossy.network
how did you get around that limitation? are you asking about a certificate whose only domain is a wildcard? | 20:13:24 |
| hexa | yep | 20:13:35 |
| Winter (she/her) | i’m not sure — it just worked for me until i realized I needed to also add the root domain | 20:14:09 |
| m1cr0man | Yeah, it just worked for me too | 20:14:57 |
| m1cr0man | it wasn't until I tried to browse to my root domain did I realise it wasn't working. I did the same as winter..but also the opposite :P I put my root domain in the SANs | 20:15:32 |
| hexa | security.acme.certificates."*.example.com" worked for you? | 20:15:54 |
| m1cr0man | fwiw, this is what I've document as "the way" on the nixos manual, so I gotta fix that | 20:15:56 |
| hexa | * security.acme.certificates."*.example.com" worked for you? | 20:16:01 |
| m1cr0man | no :) I did it the way it it is in the manual | 20:16:08 |
| hexa | who the hell reads the manual | 20:16:14 |
| m1cr0man | so the key is "m1cr0man.com", but I manually set the domain attr to "*.m1cr0man.com" | 20:16:28 |
| hexa | haha okay | 20:16:35 |
| m1cr0man | ... you know swapping the SAN and domain makes a lot of sense now winter lol | 20:16:39 |
