| 3 Jun 2024 |
 K900 | That's a very stupid behavior in lego tbh | 08:11:03 |
 Arian | This is not Lego. this is us | 08:11:10 |
| Arian | I think? | 08:11:15 |
| K900 | Oh OK yeah it is us | 08:12:00 |
| K900 | https://github.com/SuperSandro2000/nixpkgs/blob/6e294f40db992635e4aa566789ac3560ed1f9b1a/nixos/modules/security/acme/default.nix#L16 | 08:12:00 |
| Arian | so acmeServer used to be null | 08:12:19 |
| Arian | and we change it to the letsencrypt uri | 08:12:35 |
| K900 | But how is it leaking into CAA records then | 08:13:01 |
| K900 | Is what I don't get | 08:13:03 |
| Arian | You can bind your CAA record to your account ID these days | 08:13:35 |
| K900 | Oh | 08:13:40 |
| Arian | it's a new extension to ACME protocol | 08:13:42 |
| Arian | to detect MITM attacks | 08:13:45 |
| K900 | Yeeeeeah | 08:13:58 |
| K900 | But then we can just migrate | 08:14:03 |
| K900 | Like | 08:14:11 |
| Arian | (and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) | 08:14:15 |
| K900 | Compute old hash and new hash | 08:14:32 |
| K900 | In preStart | 08:14:34 |
| Arian | my idea was to make something like `${stateVersion < 23.11 ? " " : acmeServer} | 08:15:15 |
| K900 | And then
if [ -d $oldHash ]; then
if [ ! -d $newHash ]; then
mv $oldHash $newHash
else
echo "You are dedge please fix"
exit 1
fi
fi
| 08:15:25 |
| K900 | People who have two accounts need to manually adjust anyway | 08:15:56 |
| K900 | It's too late for them | 08:16:00 |
| K900 | Because we can't just roll them back either | 08:16:11 |
| K900 | Or we might break them AGAIN | 08:16:17 |
| Arian | yeh. Cat is out of the bag | 08:16:52 |
| Arian | so I guess stateVersion also doesnt work.. as this release is already out | 08:17:02 |
| Arian | I like the ExecStartPre idea | 08:17:34 |
| Arian | K900: you wanna prepare a patch with that? | 08:18:02 |
| K900 | No | 08:18:21 |
