| 29 Jan 2025 |
 K900 ⚡️ | If it actually breaks, we'll get a bunch of people offline | 13:20:02 |
| K900 ⚡️ | I'm fine kicking it every now and then to make sure that doesn't happen | 13:20:22 |
 m1cr0man | I nearly have the test suite rewritten - working on webserver test isolation now. It will be a lot more reliable, and we can disable tests piecemeal instead of disabling the whole suite if it gets flakey again. | 17:28:03 |
| K900 ⚡️ | ❤️ | 18:03:25 |
| m1cr0man | Are you KIDDING me? There's an option on pebble that sets a percentage failure for cert validation? https://github.com/letsencrypt/pebble?tab=readme-ov-file#invalid-anti-replay-nonce-errors | 19:04:31 |
| m1cr0man | It's been in there for 8 years apparently 🫠 probably not the source of the main problems but still, I've disabled it | 19:07:39 |
| K900 ⚡️ | Uhh | 19:13:13 |
| K900 ⚡️ | I think that's a good thing actually? | 19:13:17 |
| K900 ⚡️ | It seems useful to verify lego behaves correctly in that case | 19:13:30 |
| m1cr0man | This has been a decision from the get-go: We are not testing lego, we are testing the Nix module. I have 0 interest in testing behaviour of lego outside of standard operation. | 20:16:47 |
| 2 Feb 2025 |
| m1cr0man | https://github.com/NixOS/nixpkgs/issues/374792#issuecomment-2629203727 | 02:07:22 |
| 6 Feb 2025 |
|  Jeff changed their profile picture. | 06:10:06 |
| 15 Feb 2025 |
|  BenjB83 joined the room. | 10:19:26 |
| BenjB83 changed their display name from Benjamín Buske to BenjB83. | 10:43:22 |
| 16 Feb 2025 |
 ThinkChaos | I'm looking at what can be done to create the ACME account separately of fetching a cert again because of the impending Revert "nixos/nginx: not "before" ACME certs using DNS validation".
m1cr0man Have you already brought up adding a lego sub-command that only creates the account with them?
That looks like something I can try to contribute there, so I'm curious if there's relevant discussion I didn't find. | 22:13:39 |
| m1cr0man | I haven't reached out to lego about that specifically. It would be a nice thing to have for sure | 22:43:14 |
| m1cr0man | We could then add it to the setup service | 22:43:23 |
| ThinkChaos | Ok, I'll look into it more | 22:43:59 |
| ThinkChaos | Exactly, the goal behind it is to simplify the unit dependencies | 22:44:34 |
| 17 Feb 2025 |
 hexa | I don't think we currently support ACME Renwal Info (ARI), because don't execute lego when the certificate is not yet outdated | 16:55:13 |
| hexa | https://github.com/go-acme/lego/pull/1912 | 16:55:14 |
 emily | I thought we execute lego like every 24 hours | 16:56:10 |
| hexa | LE are currently sending out mail to their subscribers with recommendations | 16:56:11 |
| emily | did that get conditionalized? | 16:56:15 |
| hexa | hm, let me check | 16:56:26 |
| emily | https://github.com/NixOS/nixpkgs/pull/80856 | 16:56:48 |
| emily | of course the module has changed a lot since then so it's possible we don't reliably execute lego when that timer fires, which would be bad | 16:57:04 |
| hexa | # Check if we can renew.
# We can only renew if the list of domains has not changed.
# We also need an account key. Avoids #190493
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/juno.lossy.network.key' ] && [ -e 'certificates/juno.lossy.network.crt' ] && [ -n "$(find accounts -name 'hexa@darmstadt.ccc.de.key')" ]; then
# Even if a cert is not expired, it may be revoked by the CA.
# Try to renew, and silently fail if the cert is not expired.
# Avoids #85794 and resolves #129838
if ! lego --accept-tos --path . -d juno.lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory renew --no-random-sleep --days 30; then
if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming 30 days"
else
# High number to avoid Systemd reserved codes.
exit 11
fi
fi
# Otherwise do a full run
elif ! lego --accept-tos --path . -d juno.lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory run; then
# Produce a nice error for those doing their first nixos-rebuild with these certs
echo Failed to fetch certificates. \
This may mean your DNS records are set up incorrectly. \
Selfsigned certs are in place and dependant services will still start.
# Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.
# High number to avoid Systemd reserved codes.
exit 10
fi
| 16:58:04 |
| hexa | looks like we always call lego | 16:58:13 |
| emily | perhaps we just need to pass an ARI flag then. (not sure why that wouldn't be default) | 16:58:42 |
