| 18 Feb 2025 |
 Sandro 🐧 | FYI https://github.com/NixOS/nixpkgs/pull/382863 | 16:52:15 |
| 19 Feb 2025 |
 hexa | https://github.com/go-acme/lego/commit/98371c4695dd4e45d7458d8ba42272f6fa0c625d enables ARI by default | 16:41:06 |
| hexa | in 4.20.2 | 16:41:09 |
| hexa | so we just need to agree on the proper wait duration | 16:41:26 |
| Sandro 🐧 | I have extraLegoRenewFlags = [ "--ari-enable" "--ari-wait-to-renew-duration" "5m" ]; in my config but I cannot tell you any advtanatages/disavtanages of it sadly | 16:44:34 |
| hexa | 5m is not a reasonable wait duration 😄 | 16:44:47 |
 emily | I think we don't want to limit it at all if we're using ARI. the ACME server will pick the appropriate time to wait. but I'm still not clear on how it's meant to integrate into our timer system. my understanding is that lego renew won't block indefinitely when not using ARI, but does block when using it? | 16:44:47 |
| hexa | yep | 16:45:05 |
| emily | the two modalities seem totally different: one is a ~non-blocking poll on a timer, the other is a long-running waiting daemon | 16:45:16 |
| hexa | I think I set it to 23h to not interact with the timer | 16:45:24 |
| hexa | but to cover most of the time when it would not run | 16:45:34 |
| emily | I don't see how that works with our setup unless we can get lego renew to also wait for non-ARI certificates | 16:45:37 |
| hexa | I think infinite could work, but infinite would then probably be something like 30 days? 90 days? | 16:45:56 |
| emily | does --ari-wait-to-renew-duration force renewal when the timer expires? or does it just exit without renewing if the wait is further than that? | 16:45:59 |
| hexa | max cert duration | 16:46:04 |
| hexa | * max remaining cert duration | 16:46:07 |
| hexa | ARI is a way to skip the age check on the cert | 16:46:22 |
| hexa | when ARI then renew, else normal proceedings | 16:46:39 |
| emily | are you sure?
--ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint.
| 16:46:23 |
| emily | seems like not that | 16:46:24 |
| emily | I do know how ARI works :) | 16:46:32 |
| hexa | I'm telling you that from the code that I glanced at | 16:46:57 |
| Sandro 🐧 | AFAIK it is the time lego is allowed to sleep for the time to be | 16:47:41 |
| Sandro 🐧 | so if we set it to 23h, it could block execution for up to 23h | 16:48:24 |
| hexa | wdym block | 16:48:35 |
| hexa | you can always just restart and get a new renewalinfo 😄 | 16:48:45 |
| hexa | https://github.com/go-acme/lego/blob/v4.22.2/certificate/renewal.go | 16:49:08 |
| emily | ok, here's what I don't understand. why do we need it to sleep at all? it could check ARI and then just say "nope" if it isn't time yet. at most we drift across the recommended renewal by ~a day | 16:49:10 |
| hexa | I think that would probably be fine | 16:49:37 |
| emily | I don't think that's optimal – the timer-based setup is bad – but it seems to be what fits best with the existing module structure | 16:49:38 |
