!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

85 Members
Another day, another cert renewal38 Servers

Load older messages

SenderMessageTime
3 Jun 2024
@arianvp:matrix.orgArianand we change it to the letsencrypt uri08:12:35
@k900:0upti.meK900But how is it leaking into CAA records then08:13:01
@k900:0upti.meK900Is what I don't get08:13:03
@arianvp:matrix.orgArianYou can bind your CAA record to your account ID these days08:13:35
@k900:0upti.meK900Oh08:13:40
@arianvp:matrix.orgArianit's a new extension to ACME protocol08:13:42
@arianvp:matrix.orgArianto detect MITM attacks08:13:45
@k900:0upti.meK900Yeeeeeah08:13:58
@k900:0upti.meK900But then we can just migrate08:14:03
@k900:0upti.meK900Like08:14:11
@arianvp:matrix.orgArian(and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year)08:14:15
@k900:0upti.meK900Compute old hash and new hash08:14:32
@k900:0upti.meK900In preStart08:14:34
@arianvp:matrix.orgArianmy idea was to make something like `${stateVersion < 23.11 ? " " : acmeServer}08:15:15
@k900:0upti.meK900

And then

if [ -d $oldHash ]; then 
  if [ ! -d $newHash ]; then
   mv $oldHash $newHash
  else
   echo "You are dedge please fix"
   exit 1
  fi
fi
08:15:25
@k900:0upti.meK900People who have two accounts need to manually adjust anyway08:15:56
@k900:0upti.meK900It's too late for them08:16:00
@k900:0upti.meK900Because we can't just roll them back either08:16:11
@k900:0upti.meK900Or we might break them AGAIN08:16:17
@arianvp:matrix.orgArianyeh. Cat is out of the bag 08:16:52
@arianvp:matrix.orgArianso I guess stateVersion also doesnt work.. as this release is already out08:17:02
@arianvp:matrix.orgArianI like the ExecStartPre idea08:17:34
@arianvp:matrix.orgArian K900: you wanna prepare a patch with that? 08:18:02
@k900:0upti.meK900No08:18:21
@arianvp:matrix.orgArianokay then i'll give it a shot later08:18:27
@arianvp:matrix.orgArianthanks for the idea though! :) 08:18:30
@k900:0upti.meK900I've got pretty bad brain fog from the cold still, I don't trust myself to not fuck this up08:18:44
@arianvp:matrix.orgArianYeh load-bearing bash is fun :D08:19:11
@stephank:stephank.nlStéphan joined the room.08:44:56
@stephank:stephank.nlStéphanBy no means a good attempt, but I hacked away on this: https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme?w=108:48:56

Show newer messages

Back to Room ListRoom Version: 6