| 4 Jul 2025 |
 Christian Theune | 
Download Screenshot 2025-07-04 at 10.12.07.png | 08:12:46 |
| Christian Theune | Alright. Some discussion with leona and max lead to this ^^ | 08:12:49 |
| Christian Theune | I'll put that into code and see how that works. | 08:13:00 |
| Christian Theune | something that doesn't fit in there is that preliminary self signed certificates can be turned off currently. | 08:22:52 |
| Christian Theune | this setup would always introduce (temporary) self-signed certificates. (currently if you turn off preliminary self signed certificates and lets encrypt doesn't work for some reason, we don't start the consumer service at all because the configs will be invalid) | 08:23:50 |
| Christian Theune | i would consider it an acceptable shift in detail wrt to reduced overall complexity. | 08:24:40 |
| Christian Theune | * i would consider it an acceptable tradeoff with the benefit of reduced complexity. | 08:25:11 |
| Christian Theune | otoh if someone runs dns-01 everywhere and doesn't ever need to show self signed certificates and wants to reduce the risk of exposing users to those ... | 08:26:12 |
| Christian Theune | hmpf. | 08:26:15 |
| Christian Theune | however, if you have a more complex service that acts as a "nexus" then maybe only one of multiple vhosts uses dns-01, others might be using http-01 or tls-01 and need the self-signed certificates anyway and then you get unpredictable behaviour. | 08:29:06 |
| Christian Theune | in that sense, the tradeoff seems even more beneficial: reduced complexity and more predictable behaviour. | 08:29:26 |
| Christian Theune | we originally added it as an option when creating self-signed certificates wasn't supported yet, so ... i guess it was created as an option ... because we can? | 08:30:28 |
| Christian Theune | i'll turn into coding mode now and see how this works out. | 08:30:38 |
|  leona joined the room. | 08:31:15 |
| Christian Theune | 👋 | 08:31:20 |
|  ma27 joined the room. | 08:31:24 |
 emily | I say this every time our ACME module fails to scale for someone, but ACME issuance really wants to be a proper service rather than scripted out of systemd bits and you might want to consider trying something like Caddy for an issuance daemon :) | 09:42:56 |
| emily | (not that I don't welcome improvements especially if they simplify the code) | 09:43:10 |
| Christian Theune | yeah, our stack is already interesting, so i'd rather not use caddy (and we have non-http requirements anyway) and the overall integration is quite nice - it's a lot more advanced than what others have, so ... yeah. I was considering replacing the scripted stuff but it's not obvious to be better as a replacement when trying to start from the ground up ... 🙂 | 10:00:53 |
| Christian Theune | i started this week with the assumption of "lets make it a proper service" but then the dependency management around it for consumers is quite complex anyway and this means doing stuff in "systemd land" isn't going away either ... | 10:01:33 |
| Christian Theune | so, at the moment: this makes me understand the code base much better and maybe we can turn it into a proper service at another point in time. lego as the client is quite valuable, so traefik would be an option, but then it gets in the way with other http stuff or needs more layering) | 10:02:35 |
| emily | to be clear, you can use Caddy as an "issue TLS certs to files" daemon, for HTTP-01, TLS-ALPN-01, and DNS-01 | 10:21:59 |
| emily | without any HTTP server component (beyond serving .well-known/acme-challenge if you use HTTP-01) | 10:22:10 |
| emily | it is one of the few ACME implementations that gets most of the things in https://github.com/https-dev/docs/blob/master/acme-ops.md right (I mean, the author co-wrote that document so not too surprising, and some of them are irrelevant these days, but :) ) | 10:23:16 |
| emily | anyway, not the optimal solution for every setup for sure, especially if you already integrate tightly with the NixOS ACME support | 10:23:31 |
| emily | just want to throw out that it is a very competent ACME client and if you have complex scaling needs that the module isn't covering it is worth considering for that purpose | 10:23:54 |
| emily | (it used to use lego internally but moved to its own acmez implementation because of lego design limitations) | 10:25:15 |
| Christian Theune | thanks for that input! 🙂 | 10:27:56 |
| Christian Theune | interestingly the doc is a bit outdated already, though ... | 10:30:34 |
| emily | well that is just reference material for ACME client developers from >half a decade ago | 11:09:15 |
