!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

105 Members
Another day, another cert renewal44 Servers

Load older messages

SenderMessageTime
16 Nov 2024
@m1cr0man:m1cr0man.comm1cr0manSo did I TBH, but then we had that race/permissions error, and the directory hadn't been created when acme-lockfiles ran. Maybe we could add more systemd service dependencies, but RuntimeDirectory was more appropriate IMO20:49:19
@m1cr0man:m1cr0man.comm1cr0man
In reply to @thinkchaos:matrix.org
I'll reply and approve 🙂
Thank you :D 		20:51:15
@thinkchaos:matrix.orgThinkChaos I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄
How would you feel if I just do a mkdir -p in the lock script in my PR? 		20:55:04
@thinkchaos:matrix.orgThinkChaos * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄
How would you feel if I just do a mkdir -p in the lock script in my (future) PR? 		20:55:17
@thinkchaos:matrix.orgThinkChaos * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄
~~How would you feel if I just do a mkdir -p in the lock script in my (future) PR?~~ needs root 		20:59:33
@thinkchaos:matrix.orgThinkChaos * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄
~How would you feel if I just do a mkdir -p in the lock script in my (future) PR?~ needs root 		20:59:39
@thinkchaos:matrix.orgThinkChaos * I still am not a fan of the RuntimeDir + RemainAfterExit to persist the dir, and the dir being used outside the service itself, but it's better than something that's broken 😄
How would you feel if I just do a mkdir -p in the lock script in my (future) PR? needs root 		20:59:48
17 Nov 2024
@m1cr0man:m1cr0man.comm1cr0manGiven how systemd dependent we are already, I generally prefer the systemd solution if one is available. It is very well tested and has outstandingly stable behaviour. Less bash scripting means less custom code for us to maintain13:15:23
@m1cr0man:m1cr0man.comm1cr0man Just got done testing an --overwrite-domains option for lego that lets us remove domainHash entirely. The delta on the module is kinda underwhelming but less code is less code 22:50:19
@m1cr0man:m1cr0man.comm1cr0man
In reply to @thinkchaos:matrix.org
Here's that code: https://github.com/NixOS/nixpkgs/commit/ec145d8ccdd64ea6faef4881163e3811a5bf07f3
Since you're blocked on merge would you mind if I reviewed on that commit itself? I don't want to keep you delayed on waiting for a review on the setup script 		22:56:06
@thinkchaos:matrix.orgThinkChaos1s let me give you a better link22:57:22
@m1cr0man:m1cr0man.comm1cr0mansure ok22:59:38
@thinkchaos:matrix.orgThinkChaoshttps://github.com/ThinkChaos/nixpkgs/pull/122:59:52
18 Nov 2024
@m1cr0man:m1cr0man.comm1cr0manRight, this is going to be interesting. https://github.com/go-acme/lego/pull/2355 I'm curious to see how this is received by the lego team.23:36:29
@m1cr0man:m1cr0man.comm1cr0man

Here's the would-be change to switch to it on the module: https://github.com/m1cr0man/nixpkgs/commit/0e84622dff2ab5c8ba37cf49a3dd212b253664ee

What's nice is that this wont trigger a mass renewal on all nixos systems. domains thankfully won't part of the directory tree hashes that we have (e.g. account hash)

23:38:32
@m1cr0man:m1cr0man.comm1cr0man *

Here's the would-be change to switch to it on the module: https://github.com/m1cr0man/nixpkgs/commit/0e84622dff2ab5c8ba37cf49a3dd212b253664ee

What's nice is that this wont trigger a mass renewal on all nixos systems. Domains options are thankfully aren't part of the directory tree hashes that we have (e.g. account hash)

23:39:03
@m1cr0man:m1cr0man.comm1cr0man *

Here's the would-be change to switch to it on the module: https://github.com/m1cr0man/nixpkgs/commit/0e84622dff2ab5c8ba37cf49a3dd212b253664ee

What's nice is that this wont trigger a mass renewal on all nixos systems. Domains options are thankfully not part of the directory tree hashes that we have (e.g. account hash)

23:39:09
@m1cr0man:m1cr0man.comm1cr0manyeah my typing has gone, I have to sleep ;)23:39:21
@thinkchaos:matrix.orgThinkChaos Seems pretty straightforward, I'd just name it more explicitly, maybe --replace-cert-domains
Goon night 😉 		23:40:41
19 Nov 2024
@m1cr0man:m1cr0man.comm1cr0manAh I do like replace more than overwrite. 09:00:53
20 Nov 2024
@inayet:matrix.orgInayet removed their profile picture.00:59:18
@kamillaova:matrix.orgKamilla 'ova joined the room.12:55:49
@m1cr0man:m1cr0man.comm1cr0manA day late but I did change it 😪22:31:40
27 Nov 2024
@hexa:lossy.networkhexawith 24.11 I see acme units stuck at "Releasing lock" a bunch01:49:49
@hexa:lossy.networkhexa 
● acme-lossy.network.service                                                                  loaded activating start-post start  Renew ACME certificate for lossy.network
● acme-musique.lossy.network.service                                                          loaded activating start-post start  Renew ACME certificate for musique.lossy.network
● acme-paste.lossy.network.service                                                            loaded activating start-post start  Renew ACME certificate for paste.lossy.network
01:49:52
@hexa:lossy.networkhexa 
● acme-lossy.network.service - Renew ACME certificate for lossy.network
     Loaded: loaded (/etc/systemd/system/acme-lossy.network.service; enabled; preset: ignored)
     Active: activating (start-post) since Mon 2024-11-25 16:53:59 UTC; 1 day 8h ago
 Invocation: d25d36d6c8c04cd7886c1d4bc8d53792
TriggeredBy: ● acme-lossy.network.timer
   Main PID: 130913 (code=exited, status=0/SUCCESS); Control PID: 130934 (kia1z8g0zv7w2nd)
         IP: 0B in, 0B out
         IO: 336K read, 8K written
      Tasks: 2 (limit: 4553)
     Memory: 1.7M (peak: 19.6M)
        CPU: 510ms
     CGroup: /system.slice/acme-lossy.network.service
             ├─130934 /nix/store/0irlcqx2n3qm6b1pc9rsd2i8qpvcccaj-bash-5.2p37/bin/bash /nix/store/kia1z8g0zv7w2ndbr6bf88ybgacjldi1-acme-postrun
             └─130936 systemctl reload nginx
01:50:23
@hexa:lossy.networkhexa 
Nov 25 16:53:59 juno systemd[1]: Starting Renew ACME certificate for lossy.network...
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: Waiting to acquire lock /run/acme/4.lock
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: Acquired lock /run/acme/4.lock
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + set -euo pipefail
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + echo 2692063bb972c5e7df2e
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + cmp -s domainhash.txt certificates/domainhash.txt
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + '[' -e certificates/lossy.network.key ']'
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + '[' -e certificates/lossy.network.crt ']'
Nov 25 16:53:59 juno acme-lossy.network-start[130916]: ++ find accounts -name hexa@darmstadt.ccc.de.key
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + '[' -n accounts/acme-v02.api.letsencrypt.org/hexa@darmstadt.ccc.de/keys/hexa@darmstadt.ccc.de.key ']'
Nov 25 16:53:59 juno acme-lossy.network-start[130913]: + lego --accept-tos --path . -d lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory renew --no-random-sleep --days 30
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] acme: Trying renewal with 743 hours remaining
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] acme: Obtaining bundled SAN certificate
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/1756599672/435404342337
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] acme: Could not find solver for: tls-alpn-01
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] acme: Could not find solver for: http-01
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] acme: use dns-01 solver
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] [lossy.network] acme: Preparing to solve DNS-01
Nov 25 16:54:00 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:00 [INFO] Found CNAME entry for "_acme-challenge.lossy.network.": "lossy.network._acme.lossy.network."
Nov 25 16:54:01 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:01 [INFO] [lossy.network] acme: Trying to solve DNS-01
Nov 25 16:54:01 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:01 [INFO] Found CNAME entry for "_acme-challenge.lossy.network.": "lossy.network._acme.lossy.network."
Nov 25 16:54:01 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:01 [INFO] [lossy.network] acme: Checking DNS record propagation. [nameservers=127.0.0.1:53,[::1]:53]
Nov 25 16:54:03 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:03 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
Nov 25 16:54:09 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:09 [INFO] [lossy.network] The server validated our request
Nov 25 16:54:09 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:09 [INFO] [lossy.network] acme: Cleaning DNS-01 challenge
Nov 25 16:54:09 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:09 [INFO] Found CNAME entry for "_acme-challenge.lossy.network.": "lossy.network._acme.lossy.network."
Nov 25 16:54:09 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:09 [INFO] [lossy.network] acme: Validations succeeded; requesting certificates
Nov 25 16:54:11 juno acme-lossy.network-start[130917]: 2024/11/25 16:54:11 [INFO] [lossy.network] Server responded with a certificate.
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + mv domainhash.txt certificates/
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + chown acme:acme certificates/domainhash.txt certificates/lossy.network.crt certificates/lossy.network.issuer.crt certificates/lossy.network.json certificates/lossy.network.key
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + cmp -s certificates/lossy.network.crt out/fullchain.pem
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + touch out/renewed
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + echo Installing new certificate
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: Installing new certificate
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + cp -vp certificates/lossy.network.crt out/fullchain.pem
Nov 25 16:54:11 juno acme-lossy.network-start[130927]: 'certificates/lossy.network.crt' -> 'out/fullchain.pem'
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + cp -vp certificates/lossy.network.key out/key.pem
Nov 25 16:54:11 juno acme-lossy.network-start[130928]: 'certificates/lossy.network.key' -> 'out/key.pem'
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + cp -vp certificates/lossy.network.issuer.crt out/chain.pem
Nov 25 16:54:11 juno acme-lossy.network-start[130929]: 'certificates/lossy.network.issuer.crt' -> 'out/chain.pem'
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + ln -sf fullchain.pem out/cert.pem
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + cat out/key.pem out/fullchain.pem
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + chmod 640 out/cert.pem out/chain.pem out/fullchain.pem out/full.pem out/key.pem out/renewed
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: + echo 'Releasing lock /run/acme/4.lock'
Nov 25 16:54:11 juno acme-lossy.network-start[130913]: Releasing lock /run/acme/4.lock
01:50:47
@hexa:lossy.networkhexaugh, systemctl reload nginx is blocking01:51:06
@hexa:lossy.networkhexa so all three acme units are stuck at systemctl reload nginx 01:52:06
@hexa:lossy.networkhexawhich maps to01:52:18

Show newer messages

Back to Room ListRoom Version: 6