| 2 Dec 2025 |
 hexa | persistent DNS TXT records as proof of domain control | 15:46:08 |
| hexa | if that works out that feels like it will be big | 15:46:38 |
| hexa | shortlived is still "locked behind an allowlist" | 15:47:16 |
| 10 Dec 2025 |
 Sandro 🐧 | FYI: https://github.com/NixOS/nixpkgs/pull/467908 | 23:35:40 |
| 14 Dec 2025 |
| hexa | https://datatracker.ietf.org/doc/draft-ietf-acme-device-attest/ | 14:12:18 |
| hexa | wondering if the security.acme module will have to support enterprise pki in the future 🙂 | 14:22:21 |
 Arian | Smallstep implements this and we have a module for it in nixos I think | 17:08:17 |
| 24 Dec 2025 |
| hexa | ok, so shortlived certificates are "6ish days" | 00:17:22 |
| hexa | or exactly 160h | 00:17:25 |
| hexa | specifying the remainder in valid days seems less useful 😄 | 00:17:48 |
| hexa | I'd be fine with less than 72h remaining, ok that's three days | 00:19:06 |
| hexa | but the renew timer should run more often than daily | 00:19:19 |
| hexa | * but now the renew timer should run more often than daily | 00:19:23 |
| hexa | 
Download image.png | 00:40:59 |
| hexa | validMinDays = 3;
renewInterval = "3/6:00:00";
extraLegoRunFlags = [ "--profile=shortlived" ];
extraLegoRenewFlags = [ "--profile=shortlived" ];
| 00:41:26 |
| hexa | oh, I think the profile option was backported | 00:41:39 |
| hexa | * oh, I think the profile option was backported, so that can be shortened to | 00:44:34 |
| hexa | validMinDays = 3;
renewInterval = "3/6:00:00";
profile = "shortlived";
| 00:44:37 |
| 9 Jan 2026 |
|  Tom joined the room. | 01:05:23 |
| Tom | i just noticed the validMinDays=30 default after looking at crt.sh | 01:08:41 |
| Tom | maybe the validMinDays default should be made conditional based upon the profile option? | 01:10:53 |
| Tom | otoh it would be probably better figuring out how to it all based upon a percent remaining value | 01:13:52 |
| Tom | * otoh it would be probably better figuring out how to do it based upon a percent remaining value | 01:15:19 |
| Tom |
For certificates with a validity period under 10 days, we recommend renewing halfway through their total lifetime.
https://letsencrypt.org/docs/integration-guide/#when-to-renew | 12:16:31 |
| 11 Jan 2026 |
|  ivan joined the room. | 01:56:24 |
| Sandro 🐧 | I just read in the lego changelog, that a mail is no longer required. https://github.com/go-acme/lego/releases/tag/v4.31.0
Should we adapt to that? | 09:25:26 |
 leona | LE also doesn't really use the account email anymore: https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended | 11:06:52 |
| hexa | we hardcode RandomizedDelaySec=24h, which means my 6 hour interval gets stretched by up to 24 hours | 16:05:14 |
| hexa | le sigh | 16:05:31 |
| hexa | NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2026-01-11 18:07:20 UTC 2h 1min Sun 2026-01-11 12:07:29 UTC 3h 58min ago acme-renew-
Sun 2026-01-11 23:11:52 UTC 7h Sun 2026-01-11 11:12:11 UTC 4h 54min ago acme-renew-
Mon 2026-01-12 00:03:44 UTC 7h Sun 2026-01-11 12:03:44 UTC 4h 2min ago acme-renew-
Mon 2026-01-12 01:55:54 UTC 9h Sun 2026-01-11 13:56:24 UTC 2h 9min ago acme-renew-
Mon 2026-01-12 02:24:43 UTC 10h Sun 2026-01-11 02:24:44 UTC 13h ago acme-renew-
| 16:07:25 |
