| 24 Nov 2021 |
 m1cr0man | yeah sure! Or just shout here like | 22:04:59 |
 hexa | uh ok, I'll try to explain instead of posting logs | 22:05:34 |
| hexa | I have a cert with olddomain.example.com example.com | 22:05:49 |
| hexa | and I rmeoved olddomain.example.com | 22:05:53 |
| hexa | and now I try to renew and it still tries to renew olddomain.example.com | 22:06:05 |
| hexa | the olddomain is not part of the lego command | 22:07:00 |
| m1cr0man | hm interesting ok | 22:07:01 |
| m1cr0man | ah | 22:07:06 |
| hexa | that's on 21.05 | 22:07:18 |
| m1cr0man | it's been a while 😅 lemme glance at the module again | 22:07:21 |
| m1cr0man | I think someone reported/saw this in some issue before, but it was shrugged off as a fluke. I have a fair idea what it could be | 22:09:34 |
| hexa | anyway, I would have expected the domainhash to resolve that | 22:16:10 |
| m1cr0man | yeah, me too. I'm just looking at the conditionals surrounding it | 22:16:37 |
| hexa | the old domain is not part of the ExecStart script | 22:17:18 |
| m1cr0man | Ok I think I see what's up | 22:17:27 |
| m1cr0man | extraDomains is not part of the hashData, which is what certDir is set based upon | 22:17:42 |
| m1cr0man | I need to get that vs code plugin that lets me get links to github files.. | 22:18:11 |
| m1cr0man | tada https://github.com/m1cr0man/nixpkgs/blob/e5f9c5215ae48e0f0373787bb56c5deddbe2d9fb/nixos/modules/security/acme.nix#L156 | 22:20:10 |
| hexa | oh no! | 22:20:38 |
| m1cr0man | so yeah, the problem is it checks if the certificate files exist before checking domainhash. In retrospect - I should have probably just got rid of domainhash and used certdir alone to determine if renewal was needed. I think I thought at the time lego wasn't this dumb and would simply exclude the unspecified extra domains... | 22:21:33 |
| m1cr0man | if the files exist and domainhash is different, it goes to line 385 (forced renew) | 22:21:56 |
| m1cr0man | oh look echo 1>&2 "certificate domain(s) have changed; will renew now" | 22:22:04 |
| m1cr0man | https://github.com/m1cr0man/nixpkgs/commit/34b5c5c1a408d105beb9b92b9ed5b1565135e75e "Allow for key reuse when domains are the only thing that changed!" Aha. | 22:23:01 |
| hexa | ah, we lost extraDomains /o\ | 22:23:34 |
| m1cr0man | ok so the question is, can I delete the cert files and not the key and will lego do a renew | 22:23:47 |
| hexa | I can give that a try | 22:24:22 |
| hexa | the certificate is likely the only place that has the info about the old san | 22:24:50 |
| hexa | do you need me to test something or can I just go ahead and purge this mess? | 22:38:14 |
| hexa | m1cr0man: ^ | 22:44:13 |
| m1cr0man | sorry - go ahead and purge | 22:53:27 |
