!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

104 Members
Another day, another cert renewal42 Servers

Load older messages

SenderMessageTime
12 Jan 2026
@hexa:lossy.networkhexayeah, implemented … I think01:18:32
@emilazy:matrix.orgemilyI was just thinking we could run it much more often with no randomization if it's getting an ARI time from the CA01:28:59
@emilazy:matrix.orgemilybecause then the CA does its own load balancing across renewal times01:29:15
@emilazy:matrix.orgemilyI implemented the skew back before ARI was a thing01:29:47
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/47920901:50:33
@hexa:lossy.networkhexaI wish we could do something similar for the timer intervall01:51:24
@tom:dragar.deTomis there that much harm in just runniung it more often as the new default?01:53:10
@tom:dragar.deTom* is there that much harm in just running it more often as the new default?01:53:40
@hexa:lossy.networkhexawe're a multiplier, so yes it matters01:56:59
@tom:dragar.deTomfrom my understanding the check on whether to proceed with the renewal is done locally. So it would "only" affect local resources from my understanding?02:04:35
@hexa:lossy.networkhexaRedacted or Malformed Event02:05:05
@hexa:lossy.networkhexa* only while above validMinDays02:05:10
@hexa:lossy.networkhexa* we only fail if above valid min days02:05:24
@hexa:lossy.networkhexaRedacted or Malformed Event02:05:28
@hexa:lossy.networkhexawe run renew always, but only fail if below validMinDays02:06:02
@hexa:lossy.networkhexa 
              if is_expiration_skippable out/full.pem; then
                echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
              else
                # High number to avoid Systemd reserved codes.
                exit 11
02:06:31
@hexa:lossy.networkhexathat's this logic02:06:33
@hexa:lossy.networkhexa * 
            if ! lego ${renewOpts} --days ${toString data.validMinDays}; then
              if is_expiration_skippable out/full.pem; then
                echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
              else
                # High number to avoid Systemd reserved codes.
                exit 11
02:06:46
@tom:dragar.deTomah, okay02:07:36
@hexa:lossy.networkhexa Tom: feel free to test https://github.com/NixOS/nixpkgs/pull/479212 02:12:04
26 May 2021
@grahamc:nixos.org@grahamc:nixos.org set the history visibility to "world_readable".20:36:34
@grahamc:nixos.org@grahamc:nixos.org changed the room name to "" from "".20:36:34
@server_stats:nordgedanken.devServer Stats Discoverer (traveler bot) joined the room.20:36:42
@grahamc:nixos.org@grahamc:nixos.org invited @m1cr0man:m1cr0man.comm1cr0man.20:36:47
@grahamc:nixos.org@grahamc:nixos.orgchanged room power levels.20:36:52
@m1cr0man:m1cr0man.comm1cr0man joined the room.20:37:09
@dandellion:dodsorf.asDandellion joined the room.20:38:19
@emilazy:matrix.orgemily joined the room.20:43:31
@hexa:lossy.networkhexa joined the room.20:44:30
@m1cr0man:m1cr0man.comm1cr0man set the room topic to "Another day, another cert renewal".20:46:02

Show newer messages

Back to Room ListRoom Version: 6