!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

104 Members
Another day, another cert renewal44 Servers

Load older messages

SenderMessageTime
10 Nov 2024
@emilazy:matrix.orgemilybut I think we have to acknowledge that we have basically constructed the equivalent of this out of a morass of shell scripts, services, and targets wrapped around a tiny core of lego, and that it's hurting us02:18:08
@emilazy:matrix.orgemilysince, well, that does not make a very good programming language for a complex lifecycle management service :)02:18:51
@m1cr0man:m1cr0man.comm1cr0man

Personally, I don't hate the fact that we've used systemd to achieve this. It is an always running daemon that communicates with the rest of the system 😉 and it integrates very nicely with the lifecycle of services which depend on acme certs. However we are definitely pushing (and actual exceeding) its limits in terms of what it can achieve.

As you said, it has been an organic evolution over many years for many use cases. I want to give refactoring one good go before investigating alternative solutions/replacement to the stack we have today. Perhaps there is something that would make life easier as maintainers, but from what feedback I've heard, people are generally happy with cert management today.

02:28:27
@emilazy:matrix.orgemilywe are ultimately gluing two tools together, neither of which was designed for what we're doing with it :/02:31:26
@emilazy:matrix.orgemilywhich IMO went okay until the drift between what they're capable of and the model they're designed for, and what we actually need, became clear and we had to work around that02:32:06
@emilazy:matrix.orgemilyall I can say is that I understand why Caddy gave up on LEGO, and they didn't even have the penalty of trying to express all the lifecycle logic and rate limiting in terms of a Unix service manager 😅02:33:01
@emilazy:matrix.orgemilyI don't think we should have a target that represents all certificate renewals and gate every use of certificates on all certificates, if that's what you mean02:33:31
@emilazy:matrix.orgemilythat'll scale pretty badly when you have a ton of certs02:33:35
@m1cr0man:m1cr0man.comm1cr0manI understand what you're saying yeah. Wrt the target thing - it's not so much that I want to put up a gate, but I want to provide a simpler method for resolving the dependency chain. In deployments where many certs are in use that I have observed, almost all of them are a dependency of the service(s) they are attached to. In practicality, I don't think there would be a significant difference between dependencies per cert vs generalized targets. At the very least, a selfsigned target would go a long way.02:38:56
@m1cr0man:m1cr0man.comm1cr0manhttps://github.com/NixOS/nixpkgs/pull/355087 first big refactoring PR22:32:19
@m1cr0man:m1cr0man.comm1cr0manIf there's any maintainers about, I think this PR is good to merge also https://github.com/NixOS/nixpkgs/pull/348344 22:34:17
@k900:0upti.meK900
In reply to @m1cr0man:m1cr0man.com
If there's any maintainers about, I think this PR is good to merge also https://github.com/NixOS/nixpkgs/pull/348344
Merged that 		22:44:00
@k900:0upti.meK900
In reply to @m1cr0man:m1cr0man.com
https://github.com/NixOS/nixpkgs/pull/355087 first big refactoring PR
This scares me but in a good way 		22:44:06
@m1cr0man:m1cr0man.comm1cr0man
In reply to @k900:0upti.me
This scares me but in a good way
What I will do next will surely terrify and amaze 🧛‍♂️ 		22:45:04
@m1cr0man:m1cr0man.comm1cr0man
In reply to @k900:0upti.me
Merged that
Thanks a mil 		22:45:19
11 Nov 2024
@m1cr0man:m1cr0man.comm1cr0man

This open, 2020 ticket is peak ACME module: https://github.com/NixOS/nixpkgs/issues/106862

This is actually a variant of what K900 saw yesterday wrt webserver startup ordering. It duplicates/affects this recent ticket too. I also found the reason why we check cert expiry ourselves (I recall there being an issue with container startup also? But I can't find any reference to it. Please link if you know of it.).

I see two ways to frame this issue more generally, each with very different solutions:

  1. "ACME renewal does not reliably wait on external dependencies"

In this case, we need to have a reliable mechanism for configuring services which may affect cert renewability to be started before renewal is attempted. One solution is to add an acme-renewal-dependencies.target and add service modules to it as required on a best effort basis. I'm sure issues will be opened if we miss something, as they have been historically.

Sadly this only half-solves the problem. Running != listening, and systemd only accounts for the former in most cases (non-notify services). Socket units were suggested before (I do understand them now 😉) but that is a monumentous task for all the dependencies.
We could do some naive tests and delays like CURLing the configured ACME server and checking for a listening on port 80, but that just feels wrong.

  1. "ACME renewal does not gracefully handle failures"

This is actually untrue - we do have systemd Restart directives configured on the units. The problem is that this causes start jobs to fail, and dependent services to not start or work. What we really want(ed) is a way to gracefully retry, where we don't fail the job. We could add some sort of retry logic to the script and do away with systemd's retry logic, but again feels like reinventing the systemd retry logic in a crude way.

I would love to reduce flakiness and remove scripts (the logic for checking renewal date) at the same time, but we're stuck with a limited toolset to solve this.

My feeling right now is that we should at least implement solution 1 and get dependency ordering right for non-failure scenarios. Despite the caveats, I still think this would be a significant improvement. I wish I could say with confidence that this would solve test flakiness, but it probably won't.

01:04:00
@arianvp:matrix.orgArianIt's peak because we opened it ourselves and then ignored it for 5 years07:51:12
@arianvp:matrix.orgArian😂😭07:51:19
@m1cr0man:m1cr0man.comm1cr0manYep! 😁09:40:41
@thinkchaos:matrix.orgThinkChaos joined the room.17:17:34
@thinkchaos:matrix.orgThinkChaos For simplifying the max concurrency, sem from GNU parallel seems like the right tool: https://man.archlinux.org/man/sem.1
The cert ExecStart would look like sem --id nixos-acme --fg --max-procs ${cfg.maxConcurrentRenewals} 'lego ...' 		18:47:12
@thinkchaos:matrix.orgThinkChaos Account creation is still messy and I think the best thing would be to write a small CLI that creates the account and write the info where lego will look for it.
So one acme-account-${escaped-email}.service per account, and each cert using that account requires that service. And we use a negative ConditionPathExists to ensure it only actually runs when needed (but not RemainAfterExit otherwise clearing the state and starting a cert service won't rerun the service). 		18:58:06
@thinkchaos:matrix.orgThinkChaosOr look at completely replacing lego but that seems much harder18:59:47
@thinkchaos:matrix.orgThinkChaos * Or look at completely replacing lego but that seems much harder to do backwards-compatibly with existing state19:00:33
@arianvp:matrix.orgArianMaybe we should run a Kubernetes apiserver and use certmanager19:01:26
@arianvp:matrix.orgArianOnly half joking19:01:30
@thinkchaos:matrix.orgThinkChaosFor the potential custom account creation tool https://github.com/mholt/acmez/blob/v2.0.3/examples/plumbing/main.go#L56-L8819:02:18
@emilazy:matrix.orgemily I'm old enough to remember when we replaced simp_le with Lego and destroyed everyone's data 19:02:18
@emilazy:matrix.orgemilyah, so this is how I get ACMEZ in through the back door 😂19:02:33
@arianvp:matrix.orgArianAnd ill do it again!! 😈19:02:38

Show newer messages

Back to Room ListRoom Version: 6