| 23 May 2025 |
 hexa | and also things like enableACME on nginx | 00:37:37 |
| hexa | #users:nixos.org | 00:37:44 |
| hexa | * #users:nixos.org is the room tbh | 00:37:49 |
 m1cr0man | woobilicious: Ditto what hexa said - however you can DIY your own "disable all ACME" option. Just add a config option of your own (config.woobilicious.enableACME for example), then predicate your security.acme.certs and enableACME on that wherever you have it declared | 18:55:38 |
| m1cr0man | I assume you're dealing with a test vm, is the root of this issue that ACME is looking for internet access to renew certs whilst testing your real system config? I personally don't know how to deal with that just for the test system, but IIRC there is some flag/marker that you are in a test vm? | 18:57:06 |
| 24 May 2025 |
 woobilicious | m1cr0man:
Yeah I'm wanting to use nixos-rebuild test-vm, I used to use it before I hooked up ACME but I knew instantly it would cause issues, so I just started testing in production lol.
My real issue is that I still need certs for some of my config to work correctly. I guess I'll have to look in to profile system and how ACME works to have it generate certs but not try sign them. | 03:49:08 |
| woobilicious | I want to add anubis to my server, so it's going to be a whole ordeal getting the proxy setup and the certs working correctly. | 03:54:13 |
 Benedikt | In reply to @woobilicious:matrix.org
m1cr0man:
Yeah I'm wanting to use nixos-rebuild test-vm, I used to use it before I hooked up ACME but I knew instantly it would cause issues, so I just started testing in production lol.
My real issue is that I still need certs for some of my config to work correctly. I guess I'll have to look in to profile system and how ACME works to have it generate certs but not try sign them. This might be overkill for your use case, but we set up an additional acme and name_server nodes that we can use to replace the real acme servers in tests | 08:13:07 |
| Benedikt | The souce is here: https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/tests/common/acme | 08:13:29 |
| woobilicious | oh interesting, yeah might be a bit overkill, but maybe it'll be some good insperation. | 08:15:33 |
| woobilicious | I could probably just disable the acme renewal service. | 08:17:33 |
| 25 May 2025 |
| m1cr0man | In reply to @soispha:vhack.eu
This might be overkill for your use case, but we set up an additional acme and name_server nodes that we can use to replace the real acme servers in tests That's nice. Seems to be based on the acme tests in nixpkgs? | 11:36:45 |
| Benedikt | In reply to @m1cr0man:m1cr0man.com
That's nice. Seems to be based on the acme tests in nixpkgs? Yes, initially I used the acme files directly, but had to vendor and significantly alter them to work as a drop in server (i.e. I did not understand how nixpkgs test acme stuff sets the CA root from pebble and they seemed to lack the dns server support) | 14:58:10 |
| m1cr0man | I never considered this use case. I might look into making the test suite stuff reusable and having some form of support for nixos-ebuild build-vm | 19:19:31 |
| 27 May 2025 |
|  Irenes left the room. | 08:58:16 |
|  @deeok:matrix.org joined the room. | 23:45:05 |
| 7 Jun 2025 |
| @deeok:matrix.org changed their display name from deeok to matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms). | 22:46:32 |
| @deeok:matrix.org left the room. | 23:49:05 |
| 9 Jun 2025 |
|  SigmaSquadron joined the room. | 13:15:35 |
|  Spaenny changed their display name from Spaenny to Philipp. | 20:46:49 |
| 12 Jun 2025 |
|  sugi changed their profile picture. | 11:48:58 |
| 27 Jun 2025 |
|  R̴̨͕͇͍̞̮̐̅͆̌̀̉̐͋̈́̃̀͒́̎̅̚̚̚͠͝Ĕ̵̡̛͖͖̟̙̫̱͈̘̞̭͍͍͑̌̄͑̓̋̓̀̈̏̈́͊̇͊͆̉͂̏̀̃̚͘͝͝ͅͅD̶̡̢͔̱̖̮͙͉̘̺͓͍̩̮͈͍͗̃̀̏͌͘͜ͅŚ̸̬̭̯̬͙͇͓̬̩̳̤͚͓̤̩̺͉͖̉͛̓̿̎͊̿̆́̐͂̇͌̄̇̓͘ͅͅT̴̞̫̘̝͇͔̟̪̪̦͂̔̎̀̎ͅŎ̷̡̬̹̪͈̭̣͈̭̭͉̦̖̝̘̪͖͔̥̦̘̻̳Ṋ̶̛̫͈̳̘͚̜̔̋͆̅̈́͊̑͊̉̌̈́̾͑̈́̚ͅË̸̡̨̨̛͇̜̖͔͖̻̟̗̠̙͓̘̗̥͉͇̜͑͆͊͑͑̀̓͒͜͝͝ changed their display name from Redstone to R̴̨͕͇͍̞̮̐̅͆̌̀̉̐͋̈́̃̀͒́̎̅̚̚̚͠͝Ĕ̵̡̛͖͖̟̙̫̱͈̘̞̭͍͍͑̌̄͑̓̋̓̀̈̏̈́͊̇͊͆̉͂̏̀̃̚͘͝͝ͅͅD̶̡̢͔̱̖̮͙͉̘̺͓͍̩̮͈͍͗̃̀̏͌͘͜ͅŚ̸̬̭̯̬͙͇͓̬̩̳̤͚͓̤̩̺͉͖̉͛̓̿̎͊̿̆́̐͂̇͌̄̇̓͘ͅͅT̴̞̫̘̝͇͔̟̪̪̦͂̔̎̀̎ͅŎ̷̡̬̹̪͈̭̣͈̭̭͉̦̖̝̘̪͖͔̥̦̘̻̳Ṋ̶̛̫͈̳̘͚̜̔̋͆̅̈́͊̑͊̉̌̈́̾͑̈́̚ͅË̸̡̨̨̛͇̜̖͔͖̻̟̗̠̙͓̘̗̥͉͇̜͑͆͊͑͑̀̓͒͜͝͝. | 00:55:22 |
| R̴̨͕͇͍̞̮̐̅͆̌̀̉̐͋̈́̃̀͒́̎̅̚̚̚͠͝Ĕ̵̡̛͖͖̟̙̫̱͈̘̞̭͍͍͑̌̄͑̓̋̓̀̈̏̈́͊̇͊͆̉͂̏̀̃̚͘͝͝ͅͅD̶̡̢͔̱̖̮͙͉̘̺͓͍̩̮͈͍͗̃̀̏͌͘͜ͅŚ̸̬̭̯̬͙͇͓̬̩̳̤͚͓̤̩̺͉͖̉͛̓̿̎͊̿̆́̐͂̇͌̄̇̓͘ͅͅT̴̞̫̘̝͇͔̟̪̪̦͂̔̎̀̎ͅŎ̷̡̬̹̪͈̭̣͈̭̭͉̦̖̝̘̪͖͔̥̦̘̻̳Ṋ̶̛̫͈̳̘͚̜̔̋͆̅̈́͊̑͊̉̌̈́̾͑̈́̚ͅË̸̡̨̨̛͇̜̖͔͖̻̟̗̠̙͓̘̗̥͉͇̜͑͆͊͑͑̀̓͒͜͝͝ changed their profile picture. | 00:56:28 |
| 30 Jun 2025 |
 emily | We have deleted the email addresses provided to Let’s Encrypt via the ACME API that were stored in our CA database in association with issuance data. This doesn’t affect addresses signed up to mailing lists and other systems. They are managed in a separate ISRG system unassociated with issuance data.
Going forward, if an email address is provided to Let’s Encrypt via the ACME API, Let’s Encrypt will not store the address but will instead forward it to the general ISRG mailing list system unassociated with any account data. If the email address has not been seen before, that system may send an onboarding email with information about how to subscribe to various sources of updates.
| 12:49:54 |
| emily | https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended/ | 12:49:56 |
| emily | we currently require email right? could probably stop | 12:50:01 |
| hexa | if lego is ok with that | 14:13:52 |
| 3 Jul 2025 |
| hexa | https://github.com/go-acme/lego/issues/277 | 14:46:03 |
|  Christian Theune joined the room. | 14:46:09 |
| Christian Theune | I'm working on a bit of a refactoring with Arian supervising. I've had a question this morning which I managed to solve with a draft so far. I'm still working on it, but the current state is here: https://github.com/NixOS/nixpkgs/pull/422076. The second commit is currently in draft and needs a further refactoring (and also has a race condition and is likely incomplete), but I have to stop working for today). If you want to take a look, feel free to give feedback. I'm also happy to explain/discuss things face to face if that helps understanding. It's a quite complicated situation and I'm trying to make it cleaner ... | 14:48:16 |
