| 4 Jul 2025 |
 emily | to be clear, you can use Caddy as an "issue TLS certs to files" daemon, for HTTP-01, TLS-ALPN-01, and DNS-01 | 10:21:59 |
| emily | without any HTTP server component (beyond serving .well-known/acme-challenge if you use HTTP-01) | 10:22:10 |
| emily | it is one of the few ACME implementations that gets most of the things in https://github.com/https-dev/docs/blob/master/acme-ops.md right (I mean, the author co-wrote that document so not too surprising, and some of them are irrelevant these days, but :) ) | 10:23:16 |
| emily | anyway, not the optimal solution for every setup for sure, especially if you already integrate tightly with the NixOS ACME support | 10:23:31 |
| emily | just want to throw out that it is a very competent ACME client and if you have complex scaling needs that the module isn't covering it is worth considering for that purpose | 10:23:54 |
| emily | (it used to use lego internally but moved to its own acmez implementation because of lego design limitations) | 10:25:15 |
 Christian Theune | thanks for that input! 🙂 | 10:27:56 |
| Christian Theune | interestingly the doc is a bit outdated already, though ... | 10:30:34 |
| emily | well that is just reference material for ACME client developers from >half a decade ago | 11:09:15 |
| emily | most of it is still good, it's just OCSP stapling went away and ARI changed the renewal timing landscape a bit and so on | 11:09:40 |
| Christian Theune | yup | 12:12:06 |
| Christian Theune | as an outsider that just makes it hard to estimate which parts. i did understand it that way: ocsp and ari having changed. | 12:12:30 |
| emily | well, it's only really relevant for client developers, or comparing existing implementations but then you basically have to read code to see what they get right in some cases | 12:28:14 |
| emily | the fundamental issue with lego is that things like ARI don't fit great into a cron job type format if you want the best implementation of them | 12:29:00 |
| emily | and all the hashing etc. we have to do around it is just working around the model not being quite right | 12:29:20 |
| emily | (the end result does work well though at least at medium scale, it just takes a whole bunch of complexity to make the square peg fit the round hole) | 12:29:44 |
| Christian Theune | yup | 12:34:38 |
| Christian Theune | do you know what the list of supported DNS-01 provider APIs looks like in acmez compared to lego? | 12:35:05 |
| Christian Theune | so far that's been the reason why I decided to stick with lego for now. | 12:35:14 |
| Christian Theune | I got a green bar on the refactoring I demoed above. Trying to get the other tests clean again now. On disk formats are all compatible ... \o/ | 12:35:38 |
| Christian Theune | I need to explicitly praise the test coverage in the acme module. This helps a lot to find little glitches that I didn't properly catch. | 13:21:03 |
| Christian Theune | 🎉 | 13:21:06 |
| Christian Theune | so ... anyway ... i'll have to clean this up a bit more. i'll also need to rework the locking (with systemd 258 we could leverage the slice parallel unit limits, but i'll do a small change to get rid of the static hashing from build time to put it into a runtime solution as an intermediate step) | 13:45:05 |
| Christian Theune | off from the sprint for now ... | 13:45:09 |
| emily | everything libdns supports | 14:31:00 |
| emily | it's pretty extensive | 14:31:05 |
| emily | https://github.com/orgs/libdns/repositories?type=all | 14:31:20 |
| Christian Theune | ah, that sounds interesting. ok. i'll still try to wrap up my stuff over the next days and maybe take a fresh look after. i think it was definitely worthwhile to understand what the current system does ... | 15:01:23 |
| 6 Jul 2025 |
 m1cr0man | The test suite really is the most valuable bit of the acme module at this point. If you can get everything to pass, then you can be reasonably confident there are no major regressions. | 13:12:27 |
| m1cr0man | I can't remember any concrete reason right now as to why it was introduced. Removing it may be difficult, as people definitely are using it.
I understand you are reworking this for your own use case which sounds quite complex and large-scale, but keep in mind that most people use the ACME module for the simplest of cases - they have a vhost, they set enableACME = true, and they magically have certs. Making the ACME module work for as many use cases as possible is important to reduce fragmentation in the community, but there is a limit.
I definitely think there is a solution here where we can keep the self signed cert optionality and what you are trying to do. Your primary concern seems to be around the lack of a syntactically valid cert being present for consumer services. If this option is explicitly set to false, then it can be assumed that users do not care about this guarantee.
| 13:19:06 |
