 | NixOS ACME / LetsEncrypt | 86 Members |
| Another day, another cert renewal | 39 Servers |
| NixOS ACME / LetsEncrypt | 86 Members |
| Another day, another cert renewal | 39 Servers |
| Sender | Message | Time |
|---|---|---|
| 3 Jun 2024 | ||
 Arian | Stéphan: dont this based on stateVersion wont work | 09:24:03 |
| Arian | * Stéphan: doing this based on stateVersion wont work I think | 09:24:23 |
| Arian | ah no nvm forget what I said | 09:26:04 |
| Arian | Hmm how do we handle people who rollback boot into a 23.11 configuration ? :/ | 09:29:01 |
| Arian | maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here | 09:29:39 |
 Stéphan | I like that idea, but no idea if a symlink works | 09:31:44 |
| Arian | urgh I feel bad that this shipped. The whole reason we created the ACME Team was to catch these kind of things :( I’m kind of confused why automation didnt tag us for review. Given we’re set up as | 09:34:37 |
| Stéphan | I think BindPaths should follow a symlink, because I found this, which says not following a symlink is something you otherwise need to specify explicitely: https://github.com/systemd/systemd/issues/32366 | 09:35:27 |
| Stéphan | In reply to @arianvp:matrix.orgSee: https://github.com/NixOS/nixpkgs/pull/270221#issuecomment-2144652323 | 09:36:12 |
| Arian | ah awesome | 09:36:19 |
| Arian | Oh well no hard feelings. we’re all human. just makes my blood pressure go up to know I’m breaking people’s TLS setup :’) | 09:37:15 |
| Arian | Added a WIP PR to add the team to code-owners: https://github.com/NixOS/nixpkgs/pull/316854 | 09:45:09 |
| Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |
 Sandro 🐧 | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.orgCopy means you have old, potentially ran out certs | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org I know of the one case that went on Hackernews. DNS challenge works against that, does it? | 09:52:47 |
| Sandro 🐧 | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
| Arian | Yeh no blame on you at all. | 09:53:22 |
| Sandro 🐧 | Going back to null is also not that great because then we rely on the lego defaults which could change in the future | 09:56:08 |
| Sandro 🐧 | If you have a change I could test, throw it over the fence | 10:00:00 |
| Arian | yeh I think the only solution is to do some state mangling. Or just put in the release notes that the hash changed and call it a day | 10:00:10 |
| Sandro 🐧 | I really thought we already had that in the release notes... | 10:00:36 |
| Arian | We used to have bugs where we would recreate the same account multiple times: https://github.com/NixOS/nixpkgs/pull/106857 and the account creation rate limiting is very aggressive (5 per day?) But I think we dont run into that issue anymore | 10:00:39 |
| Arian | So the rate-limit issue is probably less of a problem; unless you have A lot of domains | 10:01:25 |
| Sandro 🐧 | As said, I've updated 25 VMs or so with that and the only problem I've ran into was that the one DNS challenge could not create records for all aliases | 10:01:42 |
| Sandro 🐧 | All other http challenges worked like a charm and I probably updated a VM every 5 to 10 minutes | 10:02:08 |
| Sandro 🐧 | In reply to @arianvp:matrix.orgIf the domains are similar, I always use the DNS challenge to avoid sich scenarios in case of data loss but probably not everyone is doing that | 10:03:00 |
| Arian | Redacted or Malformed Event | 10:05:25 |
| Arian | We also have https://github.com/NixOS/nixpkgs/pull/244511 which limits concurrent domain creation. I didn't realise that landed | 10:05:55 |
| Arian | So... the rate limit concern is probably not so big. This is just a problem with people with CAA records. I think I'm okay with just double checking this is in the release notes and if not add it | 10:06:21 |