!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

105 Members
Another day, another cert renewal44 Servers

Load older messages

SenderMessageTime
17 Sep 2021
@pinecamp:matrix.orgpinecamp joined the room.02:26:32
24 Sep 2021
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/13931113:21:37
@hexa:lossy.networkhexafallout from the hardening changes13:21:50
25 Sep 2021
@sugi:matrix.besaid.desugi joined the room.15:03:27
30 Sep 2021
@robby:oconnor.ninjaRobby O'Connor joined the room.01:17:56
@robby:oconnor.ninjaRobby O'Connor left the room.05:50:09
4 Oct 2021
@aanderse:nixos.devaanderseany chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody i don't have many details, sorry, short on time12:11:11
@hexa:lossy.networkhexaI don't believe so12:14:30
@hexa:lossy.networkhexathe reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid12:15:53
@hexa:lossy.networkhexa * the reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid, well12:16:15
@hexa:lossy.networkhexathere is certainly a way to get your server cert without the cross-signing (isrg x1 root only)12:16:50
@hexa:lossy.networkhexabut you are trading breakages in one way or another12:17:09
@aanderse:nixos.devaandersein this specific example i have a single cert for a single domain - i load that cert into prosody, then when trying to connect with my jabber client i get "The certificate chain presented is invalid."12:20:16
@hexa:lossy.networkhexa
--preferred-chain="ISRG Root X1"
12:20:31
@aanderse:nixos.devaanderse like i said... low on time, so i really appreciate the quick save 12:21:42
@aanderse:nixos.devaandersejust moved... it has been a self inflicted nightmare 😉12:21:57
@dandellion:dodsorf.asDandellion

I have the following nginx configuration for one of my services:

services.nginx.virtualHosts."hydrus.dodsorf.as" = {
    enableACME = true;
    onlySSL = true;

    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "hydrus.dodsorf.as:443"}'
      '';
      extraConfig = ''
       default_type application/json;
      '';
    };

    locations."~ ^/_matrix/media/r0/download/hydrus.dodsorf.as/(?<sha>[A-Fa-f0-9]+)" = {
      proxyPass = "http://192.168.10.50:45869/get_files/file?hash=$sha";
      extraConfig = ''
        proxy_set_header Hydrus-Client-API-Access-Key <some-key>;
      '';
    };
  };

which for some reason fails with

Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Could not find solver for: tls-alpn-01
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: use http-01 solver
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Trying to solve HTTP-01
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/36912141660
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 error: one or more domains had a problem:
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: [hydrus.dodsorf.as] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://hydrus.dodsorf.as/.well-known/acme-challenge/pxMFKnR4CI8fzgQzwoeXYDegD-Beb3zVJW9sdbd4pB0 [51.174.193.44]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Does someone here know of the top of your head why?

12:26:40
@hexa:lossy.networkhexasome location block shadowing the webroot?12:29:23
@aanderse:nixos.devaanderse

hexa: your suggestion was to add this to my security.acme.certs."example.org" configuration, right?

      extraLegoRunFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
      extraLegoRenewFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
12:36:29
@hexa:lossy.networkhexasomething along those lines12:36:44
@hexa:lossy.networkhexaisn't that basically extraLegoFlags if you are adding it to both?12:36:56
@aanderse:nixos.devaanderse extraLegoFlags complained the flag didn't exist 12:37:09
@hexa:lossy.networkhexa then it might be run only 12:37:18
@aanderse:nixos.devaandersei put it in run and renew and i got my cert12:37:45
@aanderse:nixos.devaandersebut pidgin still complains12:37:49
@hexa:lossy.networkhexaalrighty12:37:51
@hexa:lossy.networkhexaextraLegoFlags probably does `lego $extraLegoFlags <run/renew>12:38:04
@hexa:lossy.networkhexa * extraLegoFlags probably does lego $extraLegoFlags <run/renew> 12:38:06
@hexa:lossy.networkhexawhile the others append12:38:10
@hexa:lossy.networkhexawould have to look that up though12:38:16

Show newer messages

Back to Room ListRoom Version: 6