2 Jul 2021 |
| immae left the room. | 22:22:48 |
5 Jul 2021 |
| spacesbot - keeps a log of public NixOS channels joined the room. | 19:20:13 |
| spacesbot - keeps a log of public NixOS channels | 19:49:33 |
6 Jul 2021 |
hexa | merged the umask/chmod update | 13:11:45 |
hexa | I re-reviewed myself and I think it's sane. | 13:12:03 |
hexa | m1cr0man: maybe rename this room to NixOS ACME, so it sorts better in the room list? | 14:10:11 |
| m1cr0man set the room name to "NixOS ACME / LetsEncrypt". | 15:28:23 |
m1cr0man | Sure, how's that? | 15:28:30 |
hexa | sorts better, thanks. not sure we are stuck with letsencrypt, but I don't mind :) | 15:36:09 |
m1cr0man | IMO it's good SEO ;P | 15:37:46 |
| spacesbot - keeps a log of public NixOS channels changed their display name from spacesbot to spacesbot - keeps a log of public NixOS channels. | 22:11:40 |
8 Jul 2021 |
| sumner left the room. | 00:16:15 |
9 Jul 2021 |
| vika (she/her) 🏳️⚧️ joined the room. | 14:50:31 |
| vika (she/her) 🏳️⚧️ set a profile picture. | 16:39:11 |
| Andreas Schrägle joined the room. | 20:15:14 |
10 Jul 2021 |
m1cr0man | https://github.com/NixOS/nixpkgs/issues/129838 we're really getting to the point now where the service start script is getting as complex as it was pre-lego, and we maybe should consider writing the tool ourselves or starting to push changes upstream to lego (if they are likely to be merged). In order to avoid reintroducing the bug that the local expiry check resolves, we would need to check internet connection and then the OCSP response and then trigger renewal if necessary :sick | 12:49:16 |
m1cr0man | * https://github.com/NixOS/nixpkgs/issues/129838 we're really getting to the point now where the service start script is getting as complex as it was pre-lego, and we maybe should consider writing the tool ourselves or starting to push changes upstream to lego (if they are likely to be merged). In order to avoid reintroducing the bug that the local expiry check resolves, we would need to check internet connection and then the OCSP response and then trigger renewal if necessary :sick: | 12:49:19 |
m1cr0man | * https://github.com/NixOS/nixpkgs/issues/129838 we're really getting to the point now where the service start script is getting as complex as it was pre-lego, and we maybe should consider writing the tool ourselves or starting to push changes upstream to lego (if they are likely to be merged). In order to avoid reintroducing the bug that the local expiry check resolves, we would need to check internet connection and then the OCSP response and then trigger renewal if necessary 🤒 | 12:49:31 |
m1cr0man | We can probably leave checking OCSP to lego actually. So instead, we would need to check cert renewal + internet connection. If cert is expired OR there is an active internet connection, then run lego renew. | 12:51:06 |
Arian | Start programming against the Lego API instead? | 13:24:51 |
Arian | Like cert-manager | 13:24:55 |
Arian | Instead of shelling out | 13:24:58 |
Arian | It's probably more readable and maintainable. I agree | 13:25:09 |
13 Jul 2021 |
| iclanzan joined the room. | 23:47:09 |
18 Jul 2021 |
| aanderse joined the room. | 15:57:03 |
| aanderse changed their display name from Aaron Andersen to aanderse. | 15:58:44 |
19 Jul 2021 |
aanderse | shouldn't this show me a list of all my certs on a server? sudo -u acme lego list | 15:35:27 |
aanderse | getting No certificates found. | 15:35:40 |
Andreas Schrägle | Hm. I'm seeing a renewal failing, because it's trying to validate domains which it shouldn't anymore.
They were removed from the cert and the lego call also doesn't list them, but it's still trying to validate them. | 21:29:35 |
Andreas Schrägle | I just forced getting a new certificate by moving the folder for now, but this seems like a bug. Maybe in lego or the way we call it, not sure. | 21:39:34 |