!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

103 Members
Another day, another cert renewal42 Servers

Load older messages

SenderMessageTime
29 Jan 2025
@m1cr0man:m1cr0man.comm1cr0manThis has been a decision from the get-go: We are not testing lego, we are testing the Nix module. I have 0 interest in testing behaviour of lego outside of standard operation.20:16:47
2 Feb 2025
@m1cr0man:m1cr0man.comm1cr0manhttps://github.com/NixOS/nixpkgs/issues/374792#issuecomment-262920372702:07:22
6 Feb 2025
@jeff:ocjtech.usJeff changed their profile picture.06:10:06
15 Feb 2025
@benjb83:matrix.orgBenjB83 joined the room.10:19:26
@benjb83:matrix.orgBenjB83 changed their display name from Benjamín Buske to BenjB83.10:43:22
16 Feb 2025
@thinkchaos:matrix.orgThinkChaos I'm looking at what can be done to create the ACME account separately of fetching a cert again because of the impending Revert "nixos/nginx: not "before" ACME certs using DNS validation".
m1cr0man Have you already brought up adding a lego sub-command that only creates the account with them?
That looks like something I can try to contribute there, so I'm curious if there's relevant discussion I didn't find. 		22:13:39
@m1cr0man:m1cr0man.comm1cr0manI haven't reached out to lego about that specifically. It would be a nice thing to have for sure22:43:14
@m1cr0man:m1cr0man.comm1cr0manWe could then add it to the setup service22:43:23
@thinkchaos:matrix.orgThinkChaosOk, I'll look into it more22:43:59
@thinkchaos:matrix.orgThinkChaosExactly, the goal behind it is to simplify the unit dependencies22:44:34
17 Feb 2025
@hexa:lossy.networkhexaI don't think we currently support ACME Renwal Info (ARI), because don't execute lego when the certificate is not yet outdated16:55:13
@hexa:lossy.networkhexahttps://github.com/go-acme/lego/pull/191216:55:14
@emilazy:matrix.orgemilyI thought we execute lego like every 24 hours16:56:10
@hexa:lossy.networkhexaLE are currently sending out mail to their subscribers with recommendations16:56:11
@emilazy:matrix.orgemilydid that get conditionalized?16:56:15
@hexa:lossy.networkhexahm, let me check16:56:26
@emilazy:matrix.orgemilyhttps://github.com/NixOS/nixpkgs/pull/8085616:56:48
@emilazy:matrix.orgemily of course the module has changed a lot since then so it's possible we don't reliably execute lego when that timer fires, which would be bad 16:57:04
@hexa:lossy.networkhexa 
# Check if we can renew.
# We can only renew if the list of domains has not changed.
# We also need an account key. Avoids #190493
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/juno.lossy.network.key' ] && [ -e 'certificates/juno.lossy.network.crt' ] && [ -n "$(find accounts -name 'hexa@darmstadt.ccc.de.key')" ]; then

  # Even if a cert is not expired, it may be revoked by the CA.
  # Try to renew, and silently fail if the cert is not expired.
  # Avoids #85794 and resolves #129838
  if ! lego --accept-tos --path . -d juno.lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory renew --no-random-sleep --days 30; then
    if is_expiration_skippable out/full.pem; then
      echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming 30 days"
    else
      # High number to avoid Systemd reserved codes.
      exit 11
    fi
  fi

# Otherwise do a full run
elif ! lego --accept-tos --path . -d juno.lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory run; then
  # Produce a nice error for those doing their first nixos-rebuild with these certs
  echo Failed to fetch certificates. \
    This may mean your DNS records are set up incorrectly. \
    Selfsigned certs are in place and dependant services will still start.
  # Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.
  # High number to avoid Systemd reserved codes.
  exit 10
fi
16:58:04
@hexa:lossy.networkhexalooks like we always call lego16:58:13
@emilazy:matrix.orgemilyperhaps we just need to pass an ARI flag then. (not sure why that wouldn't be default)16:58:42
@hexa:lossy.networkhexastill a draft16:59:00
@hexa:lossy.networkhexahttps://datatracker.ietf.org/doc/draft-ietf-acme-ari/16:59:08
@emilazy:matrix.orgemilyI think it's been deployed at Let's Encrypt for a while though17:07:42
@emilazy:matrix.orgemily(years?)17:07:48
@hexa:lossy.networkhexayeah, 2023-202417:10:23
@hexa:lossy.networkhexathey updated the spec a few times17:10:30
@hexa:lossy.networkhexa 
      securit.acyme.defaultsextraLegoRenewFlags = [
        # https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
        "--ari-enable"
      ];
17:10:44
@hexa:lossy.networkhexadoes nothing when the acme endpoint does not offer RenewInfo17:11:12
@hexa:lossy.networkhexahttps://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients/#step-5-selecting-a-specific-renewal-time17:12:17

Show newer messages

Back to Room ListRoom Version: 6