| 3 Jun 2024 |
 Arian | apparently we merged a change that changes the account dir hash and is causing mass renewals and account id renewal?https://github.com/NixOS/nixpkgs/issues/316608
Anybody any idea how we can fix this before it causes more damage? Should we backport some conditional that uses the old hashing scheme based on stateVersion? Need to come up with some pragmatic solution | 08:09:44 |
| Arian | TIL that toString null returns the string " " lol | 08:10:17 |
| Arian | Nix is a special language for sure | 08:10:32 |
 K900 ⚡️ | Uhh | 08:10:58 |
| K900 ⚡️ | That's a very stupid behavior in lego tbh | 08:11:03 |
| Arian | This is not Lego. this is us | 08:11:10 |
| Arian | I think? | 08:11:15 |
| K900 ⚡️ | Oh OK yeah it is us | 08:12:00 |
| K900 ⚡️ | https://github.com/SuperSandro2000/nixpkgs/blob/6e294f40db992635e4aa566789ac3560ed1f9b1a/nixos/modules/security/acme/default.nix#L16 | 08:12:00 |
| Arian | so acmeServer used to be null | 08:12:19 |
| Arian | and we change it to the letsencrypt uri | 08:12:35 |
| K900 ⚡️ | But how is it leaking into CAA records then | 08:13:01 |
| K900 ⚡️ | Is what I don't get | 08:13:03 |
| Arian | You can bind your CAA record to your account ID these days | 08:13:35 |
| K900 ⚡️ | Oh | 08:13:40 |
| Arian | it's a new extension to ACME protocol | 08:13:42 |
| Arian | to detect MITM attacks | 08:13:45 |
| K900 ⚡️ | Yeeeeeah | 08:13:58 |
| K900 ⚡️ | But then we can just migrate | 08:14:03 |
| K900 ⚡️ | Like | 08:14:11 |
| Arian | (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) | 08:14:15 |
| K900 ⚡️ | Compute old hash and new hash | 08:14:32 |
| K900 ⚡️ | In preStart | 08:14:34 |
| Arian | my idea was to make something like `${stateVersion < 23.11 ? " " : acmeServer} | 08:15:15 |
| K900 ⚡️ | And then
if [ -d $oldHash ]; then
if [ ! -d $newHash ]; then
mv $oldHash $newHash
else
echo "You are dedge please fix"
exit 1
fi
fi
| 08:15:25 |
| K900 ⚡️ | People who have two accounts need to manually adjust anyway | 08:15:56 |
| K900 ⚡️ | It's too late for them | 08:16:00 |
| K900 ⚡️ | Because we can't just roll them back either | 08:16:11 |
| K900 ⚡️ | Or we might break them AGAIN | 08:16:17 |
| Arian | yeh. Cat is out of the bag | 08:16:52 |
