| 26 Dec 2021 |
 aanderse | namesilo | 23:03:50 |
 moritz.hedtke | In reply to @hexa:lossy.network
like … why wouldn't 10 seconds work for a dynamic dns update 😕 I could imagine because of the issues documented in https://letsencrypt.org/2020/02/19/multi-perspective-validation.html | 23:58:53 |
| moritz.hedtke | If I understood correctly what you mean | 23:59:04 |
| 27 Dec 2021 |
| moritz.hedtke | when I think about it the reasoning doesn't make sense in that case | 00:00:05 |
| moritz.hedtke | TTL? | 00:00:19 |
 hexa | moritz.hedtke: the record doesn't exist before the validation try | 00:02:41 |
| hexa | so negcache at worst | 00:02:57 |
| hexa | but letsencrypt probably won't do caching here | 00:03:04 |
| moritz.hedtke | And you think the record is there before e.g letsencrypt starts querying? I'm not too familiar with acme using dns | 00:05:55 |
| hexa | something like that | 00:53:31 |
| hexa | I haven't dug deeper | 00:53:34 |
| hexa | Merged! | 16:38:09 |
 m1cr0man | Thanks! | 16:59:15 |
| m1cr0man | haha so many emails from the 8 closed tickets | 16:59:24 |
| 29 Dec 2021 |
 Winter (she/her) | In https://github.com/NixOS/nixpkgs/blob/ac169ec6371f0d835542db654a65e0f2feb07838/nixos/modules/security/acme.nix#L417, it says that this makes it readable to the group specified by the cert service, but the perms for /var/lib/acme are 0750. Wouldn't the cert be inaccessible even by the group specified by the cert service, then? | 03:03:55 |
| Winter (she/her) | ah, I see https://github.com/NixOS/nixpkgs/blob/ac169ec6371f0d835542db654a65e0f2feb07838/nixos/modules/security/acme.nix#L294 now | 03:07:40 |
| Winter (she/her) | So because of the fix permission service having its working directory set to /var/lib/acme, I guess acme:acme would be the owner of /var/lib/acme. | 03:09:35 |
| Winter (she/her) | But then wouldn't the permissions of 0750 would still disallow access to the cert specified groups? | 03:10:19 |
| Winter (she/her) | * But then wouldn't the permissions of 0750 still disallow access to the cert specified groups? | 03:10:27 |
| Winter (she/her) | # These StateDirectory entries negate the need for tmpfiles
StateDirectory = [ "acme" "acme/.lego" "acme/.lego/accounts" ];
StateDirectoryMode = 755;
WorkingDirectory = "/var/lib/acme";
...ah.
| 03:16:37 |
| m1cr0man | yeah, we really went all-in on statedirectory/systemd activation logic for the folder creation. It ended up solving all previous permissions issues we were encountering, whilst also providing systemctl clean --what=state acme-mydomain.service for easy full renewals | 13:22:39 |
| m1cr0man | There's a bunch of really difficult to figure out logic wrt when directories need to be created, recreated or permissions changed which all depend on systemd service activation. Hence, it was best to leave it to systemd where possible | 13:30:20 |
| 30 Dec 2021 |
| Winter (she/her) | Redacted or Malformed Event | 04:44:03 |
| Winter (she/her) | Also: the useACMEHost option in Nginx vhosts doesn't set the group for the certificate, so it (unexpectedly) fails to start. I can't find any documentation that requires anything other than setting useACMEHost, though, so I don't think I'm doing anything wrong. | 04:54:21 |
| m1cr0man | You do need to set the group explicitly when using useACMEHost. We can't assume that the cert is being used for other purposes in that scenario, thus it would be unsafe to set the group automatically | 15:01:20 |
| m1cr0man | * You do need to set the group explicitly when using useACMEHost. We can't assume that the cert is being used for only ngnix/apache in that scenario, thus it would be unsafe to set the group automatically | 15:01:37 |
| Winter (she/her) | Got it. I feel like that can definitely be documented better, I’ll PR if I can think of adequate wording.
Question: why can’t we assume, though? In what scenario would someone be using one certificate across multiple HTTP servers? idk, just seems unlikely, it’s definitely best not to assume but i can’t think of an actual practical use case unless I’m just missing something obvious… | 20:05:16 |
| Winter (she/her) | maybe something something different ports something something? | 20:07:50 |
| m1cr0man | one wildcard for mail and web is a use case I used to maintain for a deployment | 21:14:33 |
| m1cr0man | I added nginx + dovecot + postfix users to acme group | 21:14:56 |
