 | NixOS ACME / LetsEncrypt | 93 Members |
| Another day, another cert renewal | 43 Servers |
| NixOS ACME / LetsEncrypt | 93 Members |
| Another day, another cert renewal | 43 Servers |
| Sender | Message | Time |
|---|---|---|
| 13 Jun 2023 | ||
 emily | I don't want to significantly penalize the common case of just a few domains for that though, or stretch it out to "without manual intervention migrating your NixOS box will result in your sites being offline for the next day" | 20:11:54 |
| emily | fundamentally if you want your sites running with TLS you have to spend a certain amount of compute, memory and network to get there | 20:12:15 |
 m1cr0man | yep, I'm in full agreement with all of that. I might explore the chained services option to see how it performs and if there's a way to work around the activation delay, with the thought that this solution would be an optional (default off) feature of the module | 20:14:49 |
| emily | FWIW, relevant LE rate limits: "The main limit is Certificates per Registered Domain (50 per week)." "You can create a maximum of 300 New Orders per account per 3 hours." "You can have a maximum of 300 Pending Authorizations on your account." | 20:17:11 |
| emily | for #1, probably people with tons of certs mostly have them on different domains | 20:17:31 |
| emily | #2 means that someone with >300 domains would currently run into rate limits with our existing setup | 20:17:52 |
| emily | #3 could theoretically happen if the system chugs enough that the ACME client starts issuing a bunch of certs but doesn't run to completion before more spawn up | 20:18:17 |
| emily | of course people with these many certs should probably apply for an exemption anyway, but I think it's good to note the magnitude/timeframe of the upstream limits | 20:18:43 |
| m1cr0man | okay yeah, so these are pretty lenient for most people I think I was only concerned about the concurrent one that the ticket opener mentioned: Right now this one is very easy to do | 20:19:53 |
| m1cr0man | * okay yeah, so these are pretty lenient for most people. I think I was only concerned about the concurrent one that the ticket opener mentioned: Right now this one is very easy to do | 20:20:03 |
| emily | ah I missed that one. never skim read! | 20:20:30 |
| emily | so yeah my inclination is that it would be good to have something default that ensures we're not issuing certificates at a rate that would surpass that. but preferably not full serialization since that's quite a lot further than that | 20:21:15 |