3 Jun 2024 |
Sandro π§ | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
Sandro π§ | In reply to @arianvp:matrix.org maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here Copy means you have old, potentially ran out certs | 09:52:47 |
Sandro π§ | In reply to @arianvp:matrix.org (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) I know of the one case that went on Hackernews.
DNS challenge works against that, does it? | 09:52:47 |
Sandro π§ | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
Arian | Yeh no blame on you at all. | 09:53:22 |
Sandro π§ | Going back to null is also not that great because then we rely on the lego defaults which could change in the future | 09:56:08 |
Sandro π§ | If you have a change I could test, throw it over the fence | 10:00:00 |
Arian | yeh I think the only solution is to do some state mangling.
Or just put in the release notes that the hash changed and call it a day
| 10:00:10 |
Sandro π§ | I really thought we already had that in the release notes... | 10:00:36 |
Arian | We used to have bugs where we would recreate the same account multiple times: https://github.com/NixOS/nixpkgs/pull/106857 and the account creation rate limiting is very aggressive (5 per day?) But I think we dont run into that issue anymore | 10:00:39 |
Arian | So the rate-limit issue is probably less of a problem; unless you have A lot of domains | 10:01:25 |
Sandro π§ | As said, I've updated 25 VMs or so with that and the only problem I've ran into was that the one DNS challenge could not create records for all aliases | 10:01:42 |
Sandro π§ | All other http challenges worked like a charm and I probably updated a VM every 5 to 10 minutes | 10:02:08 |
Sandro π§ | In reply to @arianvp:matrix.org So the rate-limit issue is probably less of a problem; unless you have A lot of domains If the domains are similar, I always use the DNS challenge to avoid sich scenarios in case of data loss but probably not everyone is doing that | 10:03:00 |
Arian | Redacted or Malformed Event | 10:05:25 |
Arian | We also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed | 10:05:55 |
Arian | So... the rate limit concern is probably not so big. This is just a problem with people with CAA records. I think I'm okay with just double checking this is in the release notes and if not add it | 10:06:21 |
Arian | If ya'll agree lets go with a prominent entry in the release notes. If someone has energy to do a state convergence PR that's a nice to have but probably not as urgent as I initially thought | 10:09:21 |
Sandro π§ | In reply to @arianvp:matrix.org We also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed I think that is mainly there to prevent going immediately into the rate limit of something fails | 10:12:21 |
Sandro π§ | I mean we should probably do a release notes entry either way | 10:12:40 |
Sandro π§ | And testing state changes like that should probably not be done to quick to not create the next bugs π
| 10:12:56 |
Sandro π§ | Also merge that test please π
π | 10:13:04 |
Sandro π§ | Can't you mitigate this by setting the URL back to null? | 10:15:21 |
Sandro π§ | I think no one mentioned that yet | 10:15:27 |
Arian | no because we removed the nullOr from the type | 10:16:02 |
Arian | but we could add that!! | 10:16:04 |
Arian | good idea. | 10:16:09 |
Arian | Good thinking | 10:16:28 |
StΓ©phan | I like that too. Something like this? https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme2 | 11:00:06 |
Sandro π§ | Maybe we should couple that with a warning that people should set the URL explicit | 11:23:12 |