NixOS ACME / LetsEncrypt - Public Room Timeline

	NixOS ACME / LetsEncrypt	86 Members
	Another day, another cert renewal	39 Servers

Load older messages

Sender	Message	Time
7 Feb 2024
netpleb	In reply to @k900:0upti.me You should now go look at the logs for that ok. Progress finally! See this: Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: signer "rfc2136key.netpleb.com" approved Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: updating zone 'netpleb.com/IN': deleting rrset at '_acme-challenge.jitsi.netpleb.com' TXT Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: updating zone 'netpleb.com/IN': adding an RR at '_acme-challenge.jitsi.netpleb.com' TXT "JMV6KVjVQtGlCFKSucMcbbCN8RqGY9_ZBZC3sVr9NW0" Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: updating zone 'netpleb.com/IN': error: journal open failed: unexpected error Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186c582368 127.0.0.1#50260/key rfc2136key.netpleb.com: signer "rfc2136key.netpleb.com" approved	22:13:24
netpleb	it is unclear to me which journal it is talking about. I also did this setup verbatim from the nixos manual, but originally I did have NSD installed. Maybe that is related?	22:20:02
netpleb	* it is unclear to me which journal it is talking about?	22:51:26
netpleb	how do you guys install your zone? do you use something like `environment.etc."bind/zones/example.com.zone".source = ./example.com.zone` where `./example.com.zone` is in the git repo (I am using flakes)	23:29:36
netpleb	* how do you guys install your zone? do you use something like `environment.etc."bind/zones/example.com.zone".source = ./example.com.zone;` where `./example.com.zone` is in the git repo (I am using flakes)	23:29:50
8 Feb 2024
netpleb	finally fixed it...had to make a oneshot service that `chmod --recursive named:named /etc/bind/zones` so that `named` has permission to load some `.jnl` file which apparently it needs to do the acme stuff.	01:09:16
	symys joined the room.	18:51:42
netpleb	to round this "issue" out for anyone else who comes along trying to figure out something similar: it turns out that when you follow the "fully self-hosted example using bind" in the manual, there is a subtle thing which probably goes unnoticed for many, namely `bind.zones..file = "/var/db/bind/${name}";` is in a directory which needs to be read/writable by bind. On my machine that directory had not yet even been created, and never actually was. This is because I had instead set `bind.zones..file = ./zone-file-in-my-git-repo` which means that Nix put the zone file into the nix store (which is fine as far as I am concerned) but the problem is that `bind` tries to create the `.jnl` file right next to it when doing the acme updates, which it obviously cannot do. So that is what threw the permission denied error which took a while to track down.	18:56:44
netpleb	so, in the end, what I am wondering is whether this is actually an issue with the `bind` package and module, and not the `secruity.acme` module. What do you guys think?	18:57:22
netpleb	* to round this "issue" out for anyone else who comes along trying to figure out something similar: it turns out that when you follow the "fully self-hosted example using bind" in the manual, there is a subtle thing which probably goes unnoticed for many, namely `bind.zones..file = "/var/db/bind/${name}";` is in a directory which needs to be read/writable by bind. On my machine that directory had not yet even been created, and never actually was. This is because I had instead set `bind.zones..file = ./zone-file-in-my-git-repo` which means that Nix put the zone file into the nix store (which is fine as far as I am concerned) but the problem is that `bind` tries to create the `.jnl` file right next to it when doing the acme updates, which it obviously cannot do. So that is what threw the permission denied error which took a while to track down. (and for which I am grateful to K900 ⚡️ for your patience in helping me get there!)	18:58:44
netpleb	* so, in the end, what I am wondering is whether this is actually an issue with the `bind` package and module, and not the `secruity.acme` module. What do you guys think? or maybe it is just a documentation thing?	18:59:11
netpleb	* to round this "issue" out for anyone else who comes along trying to figure out something similar: it turns out that when you follow the "fully self-hosted example using bind" in the manual, there is a subtle thing which probably goes unnoticed for many, namely `bind.zones..file = "/var/db/bind/${name}";` is in a directory which needs to be read/writable by bind. On my machine that directory had not yet even been created, and never actually was. This is because I had instead set `bind.zones..file = ./zone-file-in-my-git-repo` which means that Nix put the zone file into the nix store (which is fine as far as I am concerned) but the problem is that `bind` tries to create the `.jnl` file right next to it (in the nix store) when doing the acme updates, which it obviously cannot/should not do. So that is what threw the permission denied error which took a while to track down. (and for which I am grateful to K900 ⚡️ for your patience in helping me get there!)	19:00:25
netpleb	* to round this "issue" out for anyone else who comes along trying to figure out something similar: it turns out that when you follow the "fully self-hosted example using bind" in the manual, there is a subtle thing which probably goes unnoticed for many, namely `bind.zones..file = "/var/db/bind/${name}";` is in a directory which needs to be read/writable by bind. On my machine that directory had not yet even been created, and never actually was. This is because I had instead set `bind.zones..file = ./zone-file-in-my-git-repo` which means that Nix put the zone file into the nix store (which is fine as far as I am concerned) but the problem is that `bind` tries to create the `.jnl` file right next to it (in the nix store) when doing the acme updates, which it obviously cannot/should not do. So that is what threw the permission denied error which took a while to track down. (and for which I am grateful to K900 ⚡️ for your patience in helping me get there!) My probably-not-the-best workaround was to add the zone file the the machine using something like `environment.etc."bind/zones/the-zone-file";` and then a oneshot systemd service which runs the `chmod --recursive named:named /etc/bind/zones` command. Then everything seemed to finally work.	19:09:47
18 Feb 2024
	link2xt joined the room.	02:44:10
21 Feb 2024
	@pederbs:pvv.ntnu.no left the room.	00:50:58
6 Mar 2024
	Sammy (It/Its) joined the room.	19:03:45
7 Mar 2024
hexa	acme test failure on unstable-small https://gist.github.com/mweinelt/7398a4d24ef4a4cd8f9dfa771ecb1f2a	02:12:57
hexa	Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"	02:13:15
K900	In reply to @hexa:lossy.network acme test failure on unstable-small https://gist.github.com/mweinelt/7398a4d24ef4a4cd8f9dfa771ecb1f2a That's the same old flake	06:19:48
K900	That was never fixed	06:19:51
hexa	yeah, I didn't check, but wanted to dump before restrating	10:43:04
10 Mar 2024
	@olafkfreund:matrix.org joined the room.	20:17:54
11 Mar 2024
	w joined the room.	14:20:32
14 Mar 2024
	NixOS Moderation Botchanged room power levels.	18:45:31
15 Mar 2024
	@grahamc:nixos.org joined the room.	23:42:06
19 Mar 2024
	NixOS Moderation Botchanged room power levels.	00:30:55
21 Mar 2024
	NixOS Moderation Botchanged room power levels.	18:03:46
	@grahamc:nixos.org left the room.	20:08:06
31 Mar 2024
	Miles Dyson joined the room.	23:06:53
5 Apr 2024
	Benedikt joined the room.	04:50:59

Show newer messages

Back to Room ListRoom Version: 6