| 1 Aug 2021 |
|  Jamie joined the room. | 08:10:56 |
| 8 Aug 2021 |
 hexa | m1cr0man: merged the hardening pr, you seemed content with it, and I felt I couldn't improve it any further. now for some more real world testing. | 13:51:18 |
 m1cr0man | Awesome ok. :) | 13:51:32 |
| m1cr0man | I might try updating my server today so | 14:08:13 |
| hexa | same | 14:21:59 |
| hexa | didn't fail on activation, so that's good 😂 | 14:31:38 |
| 17 Aug 2021 |
 @grahamc:nixos.org | sometimes when acme does the wrong thing I force a new certificate by rm -rf'ing /var/lib/acme and reboot. this manages to fix everything, but if I just restart the service, `acme-domainname.service, it fails here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/acme.nix#L344-L353 what service typically sets this up where a reboot works fine? | 20:32:26 |
| @grahamc:nixos.org | I also wonder if there is a good way to communicate that extraLegoFlags isn't the same as adding the same value to bothextraLegoRunFlags and extraLegoRenewFlags (position in the command is different) my naive reading of the options left me thinking it would be the same | 20:38:09 |
| @grahamc:nixos.org | For some backstory I needed to add "--preferred-chain" "ISRG Root X1" to extraLegoRunFlags to get an ipxe-compatible certificate a few months ago. A couple days ago the certificate was renewed without that flag, so I moved it from extraLegoRunFlags to extraLegoFlags -- this didn't work, so then I copied the block and added it to both Run and Renew. To make it stick, I rm -rf'd the acme directory because in the past I've had a hard time making it do what I expected by deleting anything less. | 20:42:28 |
| 3 Sep 2021 |
|  mbprtpmnr joined the room. | 04:07:41 |
| 5 Sep 2021 |
|  ilkecan joined the room. | 13:04:05 |
| 6 Sep 2021 |
| mbprtpmnr | Hi everyone. | 06:16:08 |
| 17 Sep 2021 |
|  pinecamp joined the room. | 02:26:32 |
| 24 Sep 2021 |
| hexa | https://github.com/NixOS/nixpkgs/pull/139311 | 13:21:37 |
| hexa | fallout from the hardening changes | 13:21:50 |
| 25 Sep 2021 |
|  sugi joined the room. | 15:03:27 |
| 30 Sep 2021 |
|  Robby O'Connor joined the room. | 01:17:56 |
| Robby O'Connor left the room. | 05:50:09 |
| 4 Oct 2021 |
 aanderse | any chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody
i don't have many details, sorry, short on time | 12:11:11 |
| hexa | I don't believe so | 12:14:30 |
| hexa | the reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid | 12:15:53 |
| hexa | * the reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid, well | 12:16:15 |
| hexa | there is certainly a way to get your server cert without the cross-signing (isrg x1 root only) | 12:16:50 |
| hexa | but you are trading breakages in one way or another | 12:17:09 |
| aanderse | in this specific example i have a single cert for a single domain - i load that cert into prosody, then when trying to connect with my jabber client i get "The certificate chain presented is invalid." | 12:20:16 |
| hexa |
--preferred-chain="ISRG Root X1"
| 12:20:31 |
| aanderse | like i said... low on time, so i really appreciate the quick save | 12:21:42 |
| aanderse | just moved... it has been a self inflicted nightmare 😉 | 12:21:57 |
 Dandellion | I have the following nginx configuration for one of my services:
services.nginx.virtualHosts."hydrus.dodsorf.as" = {
enableACME = true;
onlySSL = true;
locations."/.well-known/matrix/server" = {
return = ''
200 '{"m.server": "hydrus.dodsorf.as:443"}'
'';
extraConfig = ''
default_type application/json;
'';
};
locations."~ ^/_matrix/media/r0/download/hydrus.dodsorf.as/(?<sha>[A-Fa-f0-9]+)" = {
proxyPass = "http://192.168.10.50:45869/get_files/file?hash=$sha";
extraConfig = ''
proxy_set_header Hydrus-Client-API-Access-Key <some-key>;
'';
};
};
which for some reason fails with
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Could not find solver for: tls-alpn-01
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: use http-01 solver
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Trying to solve HTTP-01
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/36912141660
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 error: one or more domains had a problem:
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: [hydrus.dodsorf.as] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://hydrus.dodsorf.as/.well-known/acme-challenge/pxMFKnR4CI8fzgQzwoeXYDegD-Beb3zVJW9sdbd4pB0 [51.174.193.44]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
Does someone here know of the top of your head why?
| 12:26:40 |
| hexa | some location block shadowing the webroot? | 12:29:23 |
