9 Feb 2023 |
Winter (she/her) | your judgement is trusted for a reason, and it seems that theyre not even responding to (or understanding?) your claims | 19:44:24 |
m1cr0man | Okay yeah, I'll do that. Thanks :) | 19:44:48 |
10 Feb 2023 |
Andreas Schrägle | Huh, I guessed correctly who that was before opening it. He's... not always easy to deal with, which kind of sucks, because he does sometimes contribute quite useful stuff. | 13:54:55 |
hexa | you would think there is a language barrier | 16:11:40 |
hexa | but sometimes the communication works quite flawlessly | 16:11:48 |
12 Feb 2023 |
m1cr0man | :( They are not happy about me closing the PR | 18:18:54 |
m1cr0man | I'm trying to figure out if it would solve this but I don't think it does. At least then it has some technical merit beyond "keep the generated config cleaner" | 18:25:07 |
m1cr0man | Oh right I finally understand 180980 properly, better than I did in September :P | 18:31:20 |
m1cr0man | There, I left a big reply in 199033, I did out a truth table for his proposal, which a) took way too long to figure out the implications and b) turned out to be needlessly complicated and I would think harmful to some existing configs. | 20:25:04 |
16 Feb 2023 |
m1cr0man | Hm, interesting https://github.com/NixOS/nixpkgs/issues/216487 I'll do my best to explain why it exists. | 09:29:55 |
m1cr0man | Tldr the conditionPathExists is needed to ensure successful reload when vhosts with new certs are added, and it performs batching too | 09:32:27 |
m1cr0man | Actually, there might be a way to reduce the number of reloads with some file touching | 09:35:22 |
m1cr0man | But that's extra complexity to solve a non issue afaik. What harm does extra reloading do? | 09:35:55 |
23 Feb 2023 |
raitobezarius | Breaking TCP connections basically | 05:04:00 |
raitobezarius | Hm no reload keeps the existing ones * | 05:04:40 |
4 Mar 2023 |
raitobezarius | I have a NixOS test using curl to test TLS-related stuff:
webserver # * Server certificate:
webserver # * subject: CN=*.test.nix
webserver # * start date: Jan 30 03:41:18 2023 GMT
webserver # * expire date: Jan 30 03:41:18 2043 GMT
webserver # * subjectAltName does not match direct.noproxy.test.nix
webserver # * SSL: no alternative certificate subject name matches target host name 'direct.noproxy.test.nix'
I am using ACME snakeoil certs, but for some reason, my wildcard cert with CN=.test.nix and SAN=[.test.nix] is not considered as valid by curl, though openssl -showcerts -connect validates the chain properly… (I used security.pki.certificateFiles)
| 19:41:47 |
raitobezarius | Does anyone understand how I can get curl to debug this or is it an instance of curl failing because the CN contain * and this is not really allowed? | 19:42:06 |
raitobezarius | It seems like minica is doing this and I have no real control over this | 19:42:14 |
raitobezarius | CN=*.test.nix and SAN=[*.test.nix] * | 19:44:03 |
m1cr0man | have you passed the snakeoil root CA into the CA bundle for curl? | 20:01:33 |
m1cr0man | oh wait I see what's wrong - you actually can't use a wildcard for 2+ nested domains | 20:01:51 |
m1cr0man | noproxy.test.nix would work, direct-noproxy.test.nix would also work, but what you have is invalid, you would need a wildcard for that subdomain | 20:02:16 |
raitobezarius | Aaaaah | 22:52:53 |
raitobezarius | Thanks m1cr0man:! | 22:53:21 |
m1cr0man | No bother! :) | 22:53:36 |
6 Mar 2023 |
hexa | https://hydra.nixos.org/log/fn9hp25w7h8na36gfyqkrfpfmlrffksj-vm-test-run-acme.drv | 08:15:38 |
hexa | on unstable-small | 08:15:41 |
hexa |
https://hydra.nixos.org/log/fn9hp25w7h8na36gfyqkrfpfmlrffksj-vm-test-run-acme.drv
| 08:15:46 |
hexa | *
Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"
| 08:15:51 |
m1cr0man | Amazing thank you for catching that | 11:25:34 |