| 3 Jun 2024 |
 K900 | Uhh | 08:10:58 |
| K900 | That's a very stupid behavior in lego tbh | 08:11:03 |
 Arian | This is not Lego. this is us | 08:11:10 |
| Arian | I think? | 08:11:15 |
| K900 | Oh OK yeah it is us | 08:12:00 |
| K900 | https://github.com/SuperSandro2000/nixpkgs/blob/6e294f40db992635e4aa566789ac3560ed1f9b1a/nixos/modules/security/acme/default.nix#L16 | 08:12:00 |
| Arian | so acmeServer used to be null | 08:12:19 |
| Arian | and we change it to the letsencrypt uri | 08:12:35 |
| K900 | But how is it leaking into CAA records then | 08:13:01 |
| K900 | Is what I don't get | 08:13:03 |
| Arian | You can bind your CAA record to your account ID these days | 08:13:35 |
| K900 | Oh | 08:13:40 |
| Arian | it's a new extension to ACME protocol | 08:13:42 |
| Arian | to detect MITM attacks | 08:13:45 |
| K900 | Yeeeeeah | 08:13:58 |
| K900 | But then we can just migrate | 08:14:03 |
| K900 | Like | 08:14:11 |
| Arian | (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) | 08:14:15 |
| K900 | Compute old hash and new hash | 08:14:32 |
