3 Jun 2024 |
Arian | it's a new extension to ACME protocol | 08:13:42 |
Arian | to detect MITM attacks | 08:13:45 |
K900 | Yeeeeeah | 08:13:58 |
K900 | But then we can just migrate | 08:14:03 |
K900 | Like | 08:14:11 |
Arian | (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) | 08:14:15 |
K900 | Compute old hash and new hash | 08:14:32 |
K900 | In preStart | 08:14:34 |
Arian | my idea was to make something like `${stateVersion < 23.11 ? " " : acmeServer} | 08:15:15 |
K900 | And then
if [ -d $oldHash ]; then
if [ ! -d $newHash ]; then
mv $oldHash $newHash
else
echo "You are dedge please fix"
exit 1
fi
fi
| 08:15:25 |
K900 | People who have two accounts need to manually adjust anyway | 08:15:56 |
K900 | It's too late for them | 08:16:00 |
K900 | Because we can't just roll them back either | 08:16:11 |
K900 | Or we might break them AGAIN | 08:16:17 |
Arian | yeh. Cat is out of the bag | 08:16:52 |
Arian | so I guess stateVersion also doesnt work.. as this release is already out | 08:17:02 |
Arian | I like the ExecStartPre idea | 08:17:34 |
Arian | K900: you wanna prepare a patch with that? | 08:18:02 |
K900 | No | 08:18:21 |
Arian | okay then i'll give it a shot later | 08:18:27 |
Arian | thanks for the idea though! :) | 08:18:30 |
K900 | I've got pretty bad brain fog from the cold still, I don't trust myself to not fuck this up | 08:18:44 |
Arian | Yeh load-bearing bash is fun :D | 08:19:11 |
| Stéphan joined the room. | 08:44:56 |
Stéphan | By no means a good attempt, but I hacked away on this: https://github.com/NixOS/nixpkgs/compare/master...stephank:nixpkgs:fix-acme?w=1 | 08:48:56 |
Stéphan | I just have no idea how to test it | 08:49:04 |
Stéphan | I reused the fixperms service, because I was worried about bind mounts. I'm not sure if bind mounts are preserved from ExecStartPre to ExecStart, or if they are recreated correctly when the underlying directory changed. | 08:50:13 |
Stéphan | Now that I think about it, maybe a simple -e or -d check won't work because the $newHash directory will always be created via BindPaths ? | 08:51:01 |
Stéphan | Looks like it's always created: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#BindPaths= | 08:51:59 |
Stéphan | Oh wait, the fixperms / migration service doesn't use BindPaths. So what I cooked up there may work. | 08:55:41 |