| 11 Jan 2026 |
 hexa | [Timer]
AccuracySec=17280s
FixedRandomDelay=true
OnCalendar=3/6:00:00
Persistent=yes
RandomizedDelaySec=24h
| 16:07:40 |
| hexa | so between 6 and 24 hours | 16:08:07 |
 Tom | AFAIK there also is some sort of problem with minica not beeing able to generate placeholder certs for IPv6 addresses. but haven't dug deeper then noticing that there seems to be a a problem in that area | 16:14:55 |
| Tom | ah, the problem might not be minica but how it's beeing used | 16:21:19 |
| Tom | https://github.com/NixOS/nixpkgs/blob/05f7778bc209d5579d5976cc0e7dc02afa21d1e4/nixos/modules/security/acme/default.nix#L390-L393
$ minica --domains 3fff::1
Invalid domain name "3fff::1"
$ minica --ip-addresses 3fff::1
| 16:41:14 |
 Arian | In reply to @hexa:lossy.network
we hardcode RandomizedDelaySec=24h, which means my 6 hour interval gets stretched by up to 24 hours Lol oops | 18:19:52 |
| 12 Jan 2026 |
| hexa | OPTIONS:
--days value The number of days left on a certificate to renew it. (default: 30)
--dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5. (default: false)
| 00:38:09 |
| Tom | --dynamic as the new default if validMinDays isn't set? | 00:40:56 |
| hexa | wip | 00:42:42 |
| hexa | Redacted or Malformed Event | 00:46:44 |
| hexa | emily: imo skipping based on the remaining time can't work with ari | 00:56:58 |
| hexa | but we already renew "silently" and that should trigger ari based renewals | 00:57:43 |
| hexa | and if we default to --dynamic we have nothing to compare against in the is_expiration_skippable function | 00:59:49 |
| hexa | but we could try to replicate the logic used in lego when to pick 1/3 and 1/2 of the remainder | 01:00:24 |
| hexa | and then determine the total duration from the certificate | 01:01:04 |
| hexa | * and then determine the total duration from the certificate instead | 01:01:08 |
| hexa | yeah, implemented … I think | 01:18:32 |
 emily | I was just thinking we could run it much more often with no randomization if it's getting an ARI time from the CA | 01:28:59 |
| emily | because then the CA does its own load balancing across renewal times | 01:29:15 |
| emily | I implemented the skew back before ARI was a thing | 01:29:47 |
| hexa | https://github.com/NixOS/nixpkgs/pull/479209 | 01:50:33 |
| hexa | I wish we could do something similar for the timer intervall | 01:51:24 |
| Tom | is there that much harm in just runniung it more often as the new default? | 01:53:10 |
| Tom | * is there that much harm in just running it more often as the new default? | 01:53:40 |
| hexa | we're a multiplier, so yes it matters | 01:56:59 |
| Tom | from my understanding the check on whether to proceed with the renewal is done locally. So it would "only" affect local resources from my understanding? | 02:04:35 |
| hexa | Redacted or Malformed Event | 02:05:05 |
| hexa | * only while above validMinDays | 02:05:10 |
| hexa | * we only fail if above valid min days | 02:05:24 |
| hexa | Redacted or Malformed Event | 02:05:28 |
