| 4 Oct 2021 |
 aanderse | hexa: your suggestion was to add this to my security.acme.certs."example.org" configuration, right?
extraLegoRunFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
extraLegoRenewFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
| 12:36:29 |
 hexa | something along those lines | 12:36:44 |
| hexa | isn't that basically extraLegoFlags if you are adding it to both? | 12:36:56 |
| aanderse | extraLegoFlags complained the flag didn't exist | 12:37:09 |
| hexa | then it might be run only | 12:37:18 |
| aanderse | i put it in run and renew and i got my cert | 12:37:45 |
| aanderse | but pidgin still complains | 12:37:49 |
| hexa | alrighty | 12:37:51 |
| hexa | extraLegoFlags probably does `lego $extraLegoFlags <run/renew> | 12:38:04 |
| hexa | * extraLegoFlags probably does lego $extraLegoFlags <run/renew> | 12:38:06 |
| hexa | while the others append | 12:38:10 |
| hexa | would have to look that up though | 12:38:16 |
| hexa | In reply to @aanderse:nixos.dev
any chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody
i don't have many details, sorry, short on time updated lego nevertheless. https://github.com/NixOS/nixpkgs/pull/140479 | 12:54:44 |
| hexa | In reply to @hexa:lossy.network
some location block shadowing the webroot? try removing the location blocks one by one to rule them out | 12:55:14 |
 Dandellion | Mhm, will try | 12:55:49 |
| hexa | also check your nginx log, it might show you the full path it tried | 12:56:14 |
| aanderse | thanks | 12:56:29 |
| Dandellion | In reply to @hexa:lossy.network
try removing the location blocks one by one to rule them out For some crazy reason I had
services.nginx.virtualHosts = {
"acmechallenge.dodsorf.as" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.dodsorf.as" ];
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user.
# By default, this is the case.
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
};
in my config
| 20:38:31 |
| hexa | 🙂 | 20:39:13 |
| Dandellion | which it seems I copied from here https://nixos.org/manual/nixos/stable/#module-security-acme-configuring | 20:39:35 |
| Dandellion | probably from when I was using traefik or something :) | 20:40:15 |
| Dandellion | Thanks for your help! | 20:40:27 |
| hexa | np | 20:47:58 |
| 5 Oct 2021 |
|  David Guibert joined the room. | 07:01:54 |
| 6 Oct 2021 |
|  Rosario Pulella changed their display name from rosariopulella to Rosuavio. | 10:38:32 |
| Rosario Pulella changed their display name from Rosuavio to Rosario Pulella. | 10:44:57 |
 m1cr0man | Hey folks 👋 been a while since I've been on Matrix 😅 How are things? Seeing the news about the acme root cert stuff last week, it was nice to know that our module was not going to result in any issues 💪 😉 | 20:21:14 |
| hexa | yeah, the module is really awesome, and we are iterating in small steps on it to make it even better! | 20:47:23 |
| hexa | two things on the 21.11 agenda | 20:47:33 |
| hexa | https://github.com/NixOS/nixpkgs/pull/139311 (hardening fix)
https://github.com/NixOS/nixpkgs/pull/140743 (design)
https://github.com/NixOS/nixpkgs/pull/125256 (stale)
https://github.com/NixOS/nixpkgs/pull/140479 (merged) | 20:48:43 |
