| 20 Nov 2021 |
|  nykw joined the room. | 11:10:15 |
| 23 Nov 2021 |
|  Server Stats Discoverer (traveler bot) left the room. | 02:35:48 |
| 24 Nov 2021 |
 m1cr0man | Just looking through github for acme-related work. I found this old PR: https://github.com/NixOS/nixpkgs/pull/46379 about letting useAcmeHost=true vhosts add their aliases to the acme cert automatically. I'm actually against this idea - the main use case nowadays for useAcmeHost is specifying a wildcard cert to use with a bunch of stuff, and that would generally be a better idea than having a cert with lots of subject alternate names. Fwiw, if you just enableACME on a vhost we already do build a cert that includes serverAliases in extraDomains (see https://github.com/NixOS/nixpkgs/blob/c18638dc95216b1b2930d16e1334613d82d05e8e/nixos/modules/services/web-servers/nginx/default.nix#L935) | 21:37:23 |
 hexa | m1cr0man: can i pm you to look at an acme issue? | 22:04:31 |
| m1cr0man | yeah sure! Or just shout here like | 22:04:59 |
| hexa | uh ok, I'll try to explain instead of posting logs | 22:05:34 |
| hexa | I have a cert with olddomain.example.com example.com | 22:05:49 |
| hexa | and I rmeoved olddomain.example.com | 22:05:53 |
| hexa | and now I try to renew and it still tries to renew olddomain.example.com | 22:06:05 |
| hexa | the olddomain is not part of the lego command | 22:07:00 |
| m1cr0man | hm interesting ok | 22:07:01 |
| m1cr0man | ah | 22:07:06 |
| hexa | that's on 21.05 | 22:07:18 |
| m1cr0man | it's been a while 😅 lemme glance at the module again | 22:07:21 |
| m1cr0man | I think someone reported/saw this in some issue before, but it was shrugged off as a fluke. I have a fair idea what it could be | 22:09:34 |
| hexa | anyway, I would have expected the domainhash to resolve that | 22:16:10 |
| m1cr0man | yeah, me too. I'm just looking at the conditionals surrounding it | 22:16:37 |
| hexa | the old domain is not part of the ExecStart script | 22:17:18 |
| m1cr0man | Ok I think I see what's up | 22:17:27 |
| m1cr0man | extraDomains is not part of the hashData, which is what certDir is set based upon | 22:17:42 |
| m1cr0man | I need to get that vs code plugin that lets me get links to github files.. | 22:18:11 |
| m1cr0man | tada https://github.com/m1cr0man/nixpkgs/blob/e5f9c5215ae48e0f0373787bb56c5deddbe2d9fb/nixos/modules/security/acme.nix#L156 | 22:20:10 |
| hexa | oh no! | 22:20:38 |
| m1cr0man | so yeah, the problem is it checks if the certificate files exist before checking domainhash. In retrospect - I should have probably just got rid of domainhash and used certdir alone to determine if renewal was needed. I think I thought at the time lego wasn't this dumb and would simply exclude the unspecified extra domains... | 22:21:33 |
| m1cr0man | if the files exist and domainhash is different, it goes to line 385 (forced renew) | 22:21:56 |
| m1cr0man | oh look echo 1>&2 "certificate domain(s) have changed; will renew now" | 22:22:04 |
| m1cr0man | https://github.com/m1cr0man/nixpkgs/commit/34b5c5c1a408d105beb9b92b9ed5b1565135e75e "Allow for key reuse when domains are the only thing that changed!" Aha. | 22:23:01 |
| hexa | ah, we lost extraDomains /o\ | 22:23:34 |
| m1cr0man | ok so the question is, can I delete the cert files and not the key and will lego do a renew | 22:23:47 |
| hexa | I can give that a try | 22:24:22 |
