NixOS ACME / LetsEncrypt - Public Room Timeline

	NixOS ACME / LetsEncrypt	105 Members
	Another day, another cert renewal	44 Servers

Load older messages

Sender	Message	Time
3 Jun 2024
Stéphan	I like that idea, but no idea if a symlink works	09:31:44
Arian	urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :( I’m kind of confused why automation didnt tag us for review. Given we’re set up as `meta.maintainers` for that module. maybe that automation doesn’t exist for NixOS? only for nixpkgs?	09:34:37
Stéphan	I think `BindPaths` should follow a symlink, because I found this, which says not following a symlink is something you otherwise need to specify explicitely: https://github.com/systemd/systemd/issues/32366	09:35:27
Stéphan	In reply to @arianvp:matrix.org urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :( I’m kind of confused why automation didnt tag us for review. Given we’re set up as `meta.maintainers` for that module. maybe that automation doesn’t exist for NixOS? only for nixpkgs? See: https://github.com/NixOS/nixpkgs/pull/270221#issuecomment-2144652323	09:36:12
Arian	ah awesome	09:36:19
Arian	Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’)	09:37:15
Arian	Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854	09:45:09
Arian	If there are any volunteers to join the team just yell ;)	09:45:39
Sandro 🐧	You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible	09:52:47
Sandro 🐧	In reply to @arianvp:matrix.org maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here Copy means you have old, potentially ran out certs	09:52:47
Sandro 🐧	In reply to @arianvp:matrix.org (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) I know of the one case that went on Hackernews. DNS challenge works against that, does it?	09:52:47
Sandro 🐧	I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999	09:52:47
Arian	Yeh no blame on you at all.	09:53:22
Sandro 🐧	Going back to null is also not that great because then we rely on the lego defaults which could change in the future	09:56:08
Sandro 🐧	If you have a change I could test, throw it over the fence	10:00:00
Arian	yeh I think the only solution is to do some state mangling. Or just put in the release notes that the hash changed and call it a day	10:00:10
Sandro 🐧	I really thought we already had that in the release notes...	10:00:36
Arian	We used to have bugs where we would recreate the same account multiple times: https://github.com/NixOS/nixpkgs/pull/106857 and the account creation rate limiting is very aggressive (5 per day?) But I think we dont run into that issue anymore	10:00:39
Arian	So the rate-limit issue is probably less of a problem; unless you have A lot of domains	10:01:25
Sandro 🐧	As said, I've updated 25 VMs or so with that and the only problem I've ran into was that the one DNS challenge could not create records for all aliases	10:01:42
Sandro 🐧	All other http challenges worked like a charm and I probably updated a VM every 5 to 10 minutes	10:02:08
Sandro 🐧	In reply to @arianvp:matrix.org So the rate-limit issue is probably less of a problem; unless you have A lot of domains If the domains are similar, I always use the DNS challenge to avoid sich scenarios in case of data loss but probably not everyone is doing that	10:03:00
Arian	Redacted or Malformed Event	10:05:25
Arian	We also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed	10:05:55
Arian	So... the rate limit concern is probably not so big. This is just a problem with people with CAA records. I think I'm okay with just double checking this is in the release notes and if not add it	10:06:21
Arian	If ya'll agree lets go with a prominent entry in the release notes. If someone has energy to do a state convergence PR that's a nice to have but probably not as urgent as I initially thought	10:09:21
Sandro 🐧	In reply to @arianvp:matrix.org We also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed I think that is mainly there to prevent going immediately into the rate limit of something fails	10:12:21
Sandro 🐧	I mean we should probably do a release notes entry either way	10:12:40
Sandro 🐧	And testing state changes like that should probably not be done to quick to not create the next bugs 😅	10:12:56
Sandro 🐧	Also merge that test please 😅🙈	10:13:04

Show newer messages

Back to Room ListRoom Version: 6