!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

104 Members
Another day, another cert renewal44 Servers

Load older messages


SenderMessageTime
13 Jun 2023
@emilazy:matrix.orgemilyFWIW, relevant LE rate limits: "The main limit is Certificates per Registered Domain (50 per week)." "You can create a maximum of 300 New Orders per account per 3 hours." "You can have a maximum of 300 Pending Authorizations on your account."20:17:11
@emilazy:matrix.orgemilyfor #1, probably people with tons of certs mostly have them on different domains20:17:31
@emilazy:matrix.orgemily#2 means that someone with >300 domains would currently run into rate limits with our existing setup20:17:52
@emilazy:matrix.orgemily#3 could theoretically happen if the system chugs enough that the ACME client starts issuing a bunch of certs but doesn't run to completion before more spawn up20:18:17
@emilazy:matrix.orgemilyof course people with these many certs should probably apply for an exemption anyway, but I think it's good to note the magnitude/timeframe of the upstream limits20:18:43
@m1cr0man:m1cr0man.comm1cr0man

okay yeah, so these are pretty lenient for most people I think I was only concerned about the concurrent one that the ticket opener mentioned:

the “new-nonce”, “new-account”, “new-order”, and “revoke-cert” endpoints on the API have an Overall Requests limit of 20 per second.

Right now this one is very easy to do

20:19:53
@m1cr0man:m1cr0man.comm1cr0man *

okay yeah, so these are pretty lenient for most people. I think I was only concerned about the concurrent one that the ticket opener mentioned:

the “new-nonce”, “new-account”, “new-order”, and “revoke-cert” endpoints on the API have an Overall Requests limit of 20 per second.

Right now this one is very easy to do

20:20:03
@emilazy:matrix.orgemilyah I missed that one. never skim read!20:20:30
@emilazy:matrix.orgemilyso yeah my inclination is that it would be good to have something default that ensures we're not issuing certificates at a rate that would surpass that. but preferably not full serialization since that's quite a lot further than that20:21:15
@emilazy:matrix.orgemilyI feel like there should be a good way to rate limit these services starting without fussing with CPU quotas or whatever.20:21:44
@emilazy:matrix.orgemily okay there is 20:22:08
@emilazy:matrix.orgemilywe have StartLimitIntervalSec/StartLimitBurst/StartLimitAction which look perfect. however, I'm guessing that we would need to switch over to @ units to use it - because otherwise all our services are entirely separate20:22:45
@emilazy:matrix.orgemilyunless it counts the bit after the @ as part of the unit for rate limiting and it's just for making restarts not spam :/20:23:03
@emilazy:matrix.orgemilywe need a systemd expert :)20:23:22
@m1cr0man:m1cr0man.comm1cr0manafaik StartLimit* only applies to services which would enter the failed state? I did consider suggesting that :) however the docs imply it's only for failure. You would need to pair it with Condition/Assert* directives in the unit section, which would be evaluated en masse and actually wouldn't stop concurrency at activation at all20:23:50
@emilazy:matrix.orgemilyit does say "Configure unit start rate limiting. Units which are started more than burst times within an interval time span are not permitted to start any more." but yeah I'm not sure if it would work20:24:32
@m1cr0man:m1cr0man.comm1cr0manI was thinking we could use unit retry logic + ConditionPathExists for really easy locking and semaphores20:24:44
@emilazy:matrix.orgemilymaybe I'm missing some verbiage that applies it's restart-specific but it seems to mostly note that as a side thing?20:25:27
@m1cr0man:m1cr0man.comm1cr0manafaik "Units which are started" means "for each unit started" rather than "for all units started", so dynamic services would all be individual services and have their own startlimits20:25:31
@emilazy:matrix.orgemilybut I have a suspicion that it may treat all @ unit instantiations as separate in which case it wouldn't help us anyway. sigh, ACME issuance should really be handled as a daemon20:25:52
@m1cr0man:m1cr0man.comm1cr0manyarp20:26:02
@m1cr0man:m1cr0man.comm1cr0manat what point do I just right NixCerts-rs20:26:15
@m1cr0man:m1cr0man.comm1cr0man * at what point do I just write NixCerts-rs20:26:19
@emilazy:matrix.orgemilywe are constantly trying to piece together what would be pretty simple logic for a long-running daemon out of paperclips and tape20:26:31
@emilazy:matrix.orgemilyheh, I don't envy anyone trying to implement ACME from scratch20:26:51
@m1cr0man:m1cr0man.comm1cr0man... maybe we need an RFC, to propose a new solution for acme20:27:00
@emilazy:matrix.orgemilysomething with certmagic would probably be pretty easy to do20:27:11
@emilazy:matrix.orgemily(but we can't just switch over to caddy without breakage because of all the lego-specific config we expose...)20:27:30
@m1cr0man:m1cr0man.comm1cr0manyeah, sadly20:27:38
@m1cr0man:m1cr0man.comm1cr0man it would be a major breaking change and people hate remembering how they set their certs up (me included) 20:28:04

Show newer messages


Back to Room ListRoom Version: 6