 | NixOS ACME / LetsEncrypt | 92 Members |
| Another day, another cert renewal | 42 Servers |
| NixOS ACME / LetsEncrypt | 92 Members |
| Another day, another cert renewal | 42 Servers |
| Sender | Message | Time |
|---|---|---|
| 3 Jun 2024 | ||
 Stéphan | I just have no idea how to test it | 08:49:04 |
| Stéphan | I reused the fixperms service, because I was worried about bind mounts. I'm not sure if bind mounts are preserved from ExecStartPre to ExecStart, or if they are recreated correctly when the underlying directory changed. | 08:50:13 |
| Stéphan | Now that I think about it, maybe a simple -e or -d check won't work because the $newHash directory will always be created via BindPaths? | 08:51:01 |
| Stéphan | Looks like it's always created: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#BindPaths= | 08:51:59 |
| Stéphan | Oh wait, the fixperms / migration service doesn't use BindPaths. So what I cooked up there may work. | 08:55:41 |
 Arian | We have quite an extensive NixOS test which we could change. But doing NixOS tests for "transitions" is always a bit tricky | 09:22:26 |
| Arian | Stéphan: dont this based on stateVersion wont work | 09:24:03 |
| Arian | * Stéphan: doing this based on stateVersion wont work I think | 09:24:23 |
| Arian | ah no nvm forget what I said | 09:26:04 |
| Arian | Hmm how do we handle people who rollback boot into a 23.11 configuration ? :/ | 09:29:01 |
| Arian | maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here | 09:29:39 |
| Stéphan | I like that idea, but no idea if a symlink works | 09:31:44 |
| Arian | urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :( I’m kind of confused why automation didnt tag us for review. Given we’re set up as | 09:34:37 |
| Stéphan | I think BindPaths should follow a symlink, because I found this, which says not following a symlink is something you otherwise need to specify explicitely: https://github.com/systemd/systemd/issues/32366 | 09:35:27 |
| Stéphan | In reply to @arianvp:matrix.orgSee: https://github.com/NixOS/nixpkgs/pull/270221#issuecomment-2144652323 | 09:36:12 |
| Arian | ah awesome | 09:36:19 |
| Arian | Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’) | 09:37:15 |
| Arian | Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854 | 09:45:09 |
| Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |
 Sandro 🐧 | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.orgCopy means you have old, potentially ran out certs | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org I know of the one case that went on Hackernews. DNS challenge works against that, does it? | 09:52:47 |
| Sandro 🐧 | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
| Arian | Yeh no blame on you at all. | 09:53:22 |
| Sandro 🐧 | Going back to null is also not that great because then we rely on the lego defaults which could change in the future | 09:56:08 |
| Sandro 🐧 | If you have a change I could test, throw it over the fence | 10:00:00 |
| Arian | yeh I think the only solution is to do some state mangling. Or just put in the release notes that the hash changed and call it a day | 10:00:10 |
| Sandro 🐧 | I really thought we already had that in the release notes... | 10:00:36 |
| Arian | We used to have bugs where we would recreate the same account multiple times: https://github.com/NixOS/nixpkgs/pull/106857 and the account creation rate limiting is very aggressive (5 per day?) But I think we dont run into that issue anymore | 10:00:39 |
| Arian | So the rate-limit issue is probably less of a problem; unless you have A lot of domains | 10:01:25 |