!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

86 Members
Another day, another cert renewal39 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
9 Jun 2023
@emilazy:matrix.orgemilydespite all the headaches lego has caused I would like to spend a moment of thanks for the fact that we did not move to anything shell-based: https://github.com/acmesh-official/acme.sh/issues/465910:24:43
@emilazy:matrix.orgemilyah I see this already came up in the security channel11:19:04
13 Jun 2023
@m1cr0man:m1cr0man.comm1cr0man Hello again :) Busy few weeks... looking into https://github.com/NixOS/nixpkgs/issues/232505 again. I just had a notion - could we chain all the certs together with an After= condition? We would still need to avoid auto-starting the services for each cert (otherwise config switch would take a REALLY long time) but that might be easy to solve with a target. 19:44:52
@m1cr0man:m1cr0man.comm1cr0man
In reply to @emilazy:matrix.org
despite all the headaches lego has caused I would like to spend a moment of thanks for the fact that we did not move to anything shell-based: https://github.com/acmesh-official/acme.sh/issues/4659
Oh wow.. that's spooky. At least if we were using that our systemd services for renewal are hardened like steel 		19:45:33
@emilazy:matrix.orgemilyonly so much hardening you can do when the process has access to private keys :(20:03:36
@emilazy:matrix.orgemily(ideally you have privilege separation so that the process that talks to the ACME server doesn't have access to the keys but I don't think even lego does that)20:05:44
@emilazy:matrix.orgemily
In reply to @m1cr0man:m1cr0man.com
Hello again :) Busy few weeks... looking into https://github.com/NixOS/nixpkgs/issues/232505 again. I just had a notion - could we chain all the certs together with an After= condition? We would still need to avoid auto-starting the services for each cert (otherwise config switch would take a REALLY long time) but that might be easy to solve with a target.
honestly I don't know if there's a one-size-fits-all solution to this. we can randomize renewal time because it fundamentally doesn't matter when renewal happens as long as it's sufficiently far in advance. some users will want their sites accessible as soon as possible after setting up a new box or activating a new configuration; some will be worried about load and rate limits. i don't see how we can satisfy both out of the box 		20:06:49

Show newer messages

Back to Room ListRoom Version: 6