!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

104 Members
Another day, another cert renewal47 Servers

Load older messages


SenderMessageTime
8 Nov 2024
@k900:0upti.meK900How did this ever work23:11:28
@m1cr0man:m1cr0man.comm1cr0manwhat's wrong with that? 23:12:31
@k900:0upti.meK900OK this makes no sense23:12:38
@k900:0upti.meK900It's starting the cert renewal first23:12:49
@k900:0upti.meK900And then the server23:12:58
@m1cr0man:m1cr0man.comm1cr0manNgl, it's pretty vindicating that someone else is witnessing the quantum hell that is the ACME test suite, and not just my imagination.23:13:19
@k900:0upti.meK900And I think the ordering on it is actually just all wrong23:13:22
@k900:0upti.meK900{A552CC2F-C32F-444C-8CDC-9B4F274FF447}.png
Download {A552CC2F-C32F-444C-8CDC-9B4F274FF447}.png
23:14:17
@k900:0upti.meK900Yeah this is 100% wrong23:14:45
@k900:0upti.meK900 The acme units need to wants httpd for this 23:14:55
@k900:0upti.meK900 If not requires 23:15:09
@k900:0upti.meK900 Actually probably requires, just so we fast-fail 23:15:16
@m1cr0man:m1cr0man.comm1cr0man I'm not following. Part of this is from the change earlier today. That's a screenshot from a webserver module right? It's only set to before on the renewals that use HTTP-01. wanting the target means that renewal gets queued in the same job as the web server start. 23:16:49
@m1cr0man:m1cr0man.comm1cr0man

it's convoluted, but in the case of a web server it's generally as follows on startup:

  • Web server start requested
  • want on acme-*.target queues a start job in the same transaction for any necessary renewal services.
  • before on acme-selfsigned-*.service means webserver is up after selfsigned cert gen
  • before (selectively) on acme-*.service means webserver starts before renewal (HTTP-01)
  • after (selectively) on acme-*.service means webserver can basically start any time after renewal happens
23:19:49
@m1cr0man:m1cr0man.comm1cr0man this all hinges on my understanding/observations of wants dependencies on a target, and how start job transactions are evaluated 23:20:36
@k900:0upti.meK900That before isn't enough 23:20:47
@k900:0upti.meK900 You need the http-01 units to actually wants it 23:21:07
@m1cr0man:m1cr0man.comm1cr0manI know before/after don't queue start jobs, but the target implicitly will23:21:10
@m1cr0man:m1cr0man.comm1cr0man iirc the target requires the renewal, so that will queue the start job, and those before/after should queue them appropriately in the same transaction 23:21:32
@k900:0upti.meK900The target will if you start the server, yes 23:21:33
@k900:0upti.meK900But not if you start the target 23:21:38
@m1cr0man:m1cr0man.comm1cr0manoh fuck23:21:51
@k900:0upti.meK900So either the test needs to wait for the server before the target 23:21:55
@k900:0upti.meK900Or the units need to also wants the server 23:22:07
@k900:0upti.meK900Which I think is more correct because they actually do 23:22:18
@m1cr0man:m1cr0man.comm1cr0manhm let me quickly check sth in the webserver units23:22:41
@m1cr0man:m1cr0man.comm1cr0manYeah no, it's totally missing23:24:00
@m1cr0man:m1cr0man.comm1cr0man

Or the units need to also wants the server

Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy).

I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing nginx-config-reload as it met the requirements at the time.

not if you start the target

I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a mkDefault value for requiredBy on the ACME certs, and set an explicit value in the web servers?

23:30:00
@m1cr0man:m1cr0man.comm1cr0man *

Or the units need to also wants the server

Problem is now, from the acme module, we can't determine what web server will be serving .well-known/acme-challenge. We can solve this per-webserver, as you said flip the before to a requiredBy (actually... maybe keep before and add requiredBy).

I'm now remembering a very old conversation about having web server units register a common target, but I ended up implementing nginx-config-reload as it met the requirements at the time.

not if you start the target

I wonder how bad it would be to remove the install/wantedBy directives from the acme module, and let dependent services trigger its startup? Infact what if we had a mkDefault value for wantedBy on the ACME certs, and set an explicit value in the web servers?

23:30:16
@m1cr0man:m1cr0man.comm1cr0manThis has probably been the issue the whole damn time. How does switch-to-configuration sort/order the start requests for the units? It's probably not a stable sort 😅23:32:21

Show newer messages


Back to Room ListRoom Version: 6