!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

93 Members
Another day, another cert renewal43 Servers

Load older messages


SenderMessageTime
3 Jun 2024
@sandro:supersandro.deSandro 🐧Going back to null is also not that great because then we rely on the lego defaults which could change in the future09:56:08
@sandro:supersandro.deSandro 🐧If you have a change I could test, throw it over the fence10:00:00
@arianvp:matrix.orgArianyeh I think the only solution is to do some state mangling. Or just put in the release notes that the hash changed and call it a day 10:00:10
@sandro:supersandro.deSandro 🐧I really thought we already had that in the release notes...10:00:36
@arianvp:matrix.orgArianWe used to have bugs where we would recreate the same account multiple times: https://github.com/NixOS/nixpkgs/pull/106857 and the account creation rate limiting is very aggressive (5 per day?) But I think we dont run into that issue anymore10:00:39
@arianvp:matrix.orgArian So the rate-limit issue is probably less of a problem; unless you have A lot of domains 10:01:25
@sandro:supersandro.deSandro 🐧As said, I've updated 25 VMs or so with that and the only problem I've ran into was that the one DNS challenge could not create records for all aliases10:01:42
@sandro:supersandro.deSandro 🐧All other http challenges worked like a charm and I probably updated a VM every 5 to 10 minutes10:02:08
@sandro:supersandro.deSandro 🐧
In reply to @arianvp:matrix.org
So the rate-limit issue is probably less of a problem; unless you have A lot of domains
If the domains are similar, I always use the DNS challenge to avoid sich scenarios in case of data loss but probably not everyone is doing that
10:03:00
@arianvp:matrix.orgArianRedacted or Malformed Event10:05:25
@arianvp:matrix.orgArianWe also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed10:05:55
@arianvp:matrix.orgArianSo... the rate limit concern is probably not so big. This is just a problem with people with CAA records. I think I'm okay with just double checking this is in the release notes and if not add it10:06:21
@arianvp:matrix.orgArianIf ya'll agree lets go with a prominent entry in the release notes. If someone has energy to do a state convergence PR that's a nice to have but probably not as urgent as I initially thought10:09:21
@sandro:supersandro.deSandro 🐧
In reply to @arianvp:matrix.org
We also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed
I think that is mainly there to prevent going immediately into the rate limit of something fails
10:12:21
@sandro:supersandro.deSandro 🐧I mean we should probably do a release notes entry either way10:12:40
@sandro:supersandro.deSandro 🐧And testing state changes like that should probably not be done to quick to not create the next bugs πŸ˜…10:12:56
@sandro:supersandro.deSandro 🐧Also merge that test please πŸ˜…πŸ™ˆ10:13:04
@sandro:supersandro.deSandro 🐧Can't you mitigate this by setting the URL back to null?10:15:21
@sandro:supersandro.deSandro 🐧I think no one mentioned that yet10:15:27
@arianvp:matrix.orgArian no because we removed the nullOr from the type 10:16:02
@arianvp:matrix.orgArianbut we could add that!!10:16:04
@arianvp:matrix.orgAriangood idea. 10:16:09
@arianvp:matrix.orgArianGood thinking10:16:28
@stephank:stephank.nlStΓ©phanI like that too. Something like this? https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme211:00:06
@sandro:supersandro.deSandro 🐧Maybe we should couple that with a warning that people should set the URL explicit11:23:12
@sandro:supersandro.deSandro 🐧but then, is that worth it? I dono11:23:20
@ccppuu:matrix.orgCPU
In reply to @arianvp:matrix.org
If there are any volunteers to join the team just yell ;)
:wave: I would be interested. Is commented on #316854 the best way to get looped in?
14:45:48
@ccppuu:matrix.orgCPU
In reply to @arianvp:matrix.org
If there are any volunteers to join the team just yell ;)
* :wave: I would be interested. Is commenting on #316854 the best way to get looped in?
14:45:54
@arianvp:matrix.orgArian StΓ©phan: yeh that looks perfect. Wanna open a PR for that? 18:42:18
4 Jun 2024
@raitobezarius:matrix.orgraitobezarius changed their display name from raitobezarius (DECT: 7248) to raitobezarius.11:14:33

Show newer messages


Back to Room ListRoom Version: 6