| 10 Feb 2023 |
 hexa | you would think there is a language barrier | 16:11:40 |
| hexa | but sometimes the communication works quite flawlessly | 16:11:48 |
| 12 Feb 2023 |
 m1cr0man | :( They are not happy about me closing the PR | 18:18:54 |
| m1cr0man | I'm trying to figure out if it would solve this but I don't think it does. At least then it has some technical merit beyond "keep the generated config cleaner" | 18:25:07 |
| m1cr0man | Oh right I finally understand 180980 properly, better than I did in September :P | 18:31:20 |
| m1cr0man | There, I left a big reply in 199033, I did out a truth table for his proposal, which a) took way too long to figure out the implications and b) turned out to be needlessly complicated and I would think harmful to some existing configs. | 20:25:04 |
| 16 Feb 2023 |
| m1cr0man | Hm, interesting https://github.com/NixOS/nixpkgs/issues/216487 I'll do my best to explain why it exists. | 09:29:55 |
| m1cr0man | Tldr the conditionPathExists is needed to ensure successful reload when vhosts with new certs are added, and it performs batching too | 09:32:27 |
| m1cr0man | Actually, there might be a way to reduce the number of reloads with some file touching | 09:35:22 |
| m1cr0man | But that's extra complexity to solve a non issue afaik. What harm does extra reloading do? | 09:35:55 |
| 23 Feb 2023 |
 raitobezarius | Breaking TCP connections basically | 05:04:00 |
| raitobezarius | Hm no reload keeps the existing ones * | 05:04:40 |
| 4 Mar 2023 |
| raitobezarius | I have a NixOS test using curl to test TLS-related stuff:
webserver # * Server certificate:
webserver # * subject: CN=*.test.nix
webserver # * start date: Jan 30 03:41:18 2023 GMT
webserver # * expire date: Jan 30 03:41:18 2043 GMT
webserver # * subjectAltName does not match direct.noproxy.test.nix
webserver # * SSL: no alternative certificate subject name matches target host name 'direct.noproxy.test.nix'
I am using ACME snakeoil certs, but for some reason, my wildcard cert with CN=.test.nix and SAN=[.test.nix] is not considered as valid by curl, though openssl -showcerts -connect validates the chain properly… (I used security.pki.certificateFiles)
| 19:41:47 |
