| 8 Nov 2024 |
 K900 | And that did not help either | 23:06:47 |
| K900 | Great | 23:07:45 |
| K900 | Just found a new way the test fails | 23:07:49 |
 m1cr0man | wait really it failed already? | 23:07:59 |
| K900 | Locally | 23:08:14 |
| K900 | > webserver # [ 450.572939] acme-httpd-http.example.test-start[7384]: [httpd-http-alias.example.test] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Get "http://httpd-http-alias.example.test:80/.well-known/acme-challenge/gA8qyav0HCSbazw_qhgCZ5EsI8QX8_pnpHNCGsQ3WDg": dial tcp 192.168.1.4:80: connect: connection refused
| 23:08:31 |
| m1cr0man | Lol was about to write this before your msg:
The only other race or failure that I can think of is that sometimes, for some reason, one part of the stack required for renewal (either Pebble, DNS, or a web server) was not responding to requests.
< there it is meme >
| 23:09:00 |
| m1cr0man | what do the logs above that show nginx/apache doing on the webserver? | 23:09:56 |
| K900 | Oh wait | 23:10:07 |
| K900 | What the fuck | 23:10:09 |
| K900 | How the fuck | 23:10:11 |
| K900 | Oh great | 23:10:58 |
| K900 | https://github.com/NixOS/nixpkgs/pull/354629/files#diff-352faa44c3da86e70bd6b5a55ff13f0a900b0f2fac44229f352ed1fd5b93a262R749-R751 | 23:11:25 |
| K900 | How did this ever work | 23:11:28 |
| m1cr0man | what's wrong with that? | 23:12:31 |
| K900 | OK this makes no sense | 23:12:38 |
| K900 | It's starting the cert renewal first | 23:12:49 |
| K900 | And then the server | 23:12:58 |
| m1cr0man | Ngl, it's pretty vindicating that someone else is witnessing the quantum hell that is the ACME test suite, and not just my imagination. | 23:13:19 |
| K900 | And I think the ordering on it is actually just all wrong | 23:13:22 |
| K900 | 
Download {A552CC2F-C32F-444C-8CDC-9B4F274FF447}.png | 23:14:17 |
| K900 | Yeah this is 100% wrong | 23:14:45 |
| K900 | The acme units need to wants httpd for this | 23:14:55 |
| K900 | If not requires | 23:15:09 |
| K900 | Actually probably requires, just so we fast-fail | 23:15:16 |
| m1cr0man | I'm not following. Part of this is from the change earlier today. That's a screenshot from a webserver module right? It's only set to before on the renewals that use HTTP-01. wanting the target means that renewal gets queued in the same job as the web server start. | 23:16:49 |
| m1cr0man | it's convoluted, but in the case of a web server it's generally as follows on startup:
- Web server start requested
want on acme-*.target queues a start job in the same transaction for any necessary renewal services.before on acme-selfsigned-*.service means webserver is up after selfsigned cert genbefore (selectively) on acme-*.service means webserver starts before renewal (HTTP-01)after (selectively) on acme-*.service means webserver can basically start any time after renewal happens
| 23:19:49 |
| m1cr0man | this all hinges on my understanding/observations of wants dependencies on a target, and how start job transactions are evaluated | 23:20:36 |
| K900 | That before isn't enough | 23:20:47 |
| K900 | You need the http-01 units to actually wants it | 23:21:07 |
