4 Oct 2023 |
| @pederbs:pvv.ntnu.no changed their profile picture. | 22:20:32 |
5 Oct 2023 |
hexa | https://gist.github.com/mweinelt/3993fdc7be3caf81bcff1bc506f44922 | 12:04:19 |
hexa | m1cr0man: 🙂 | 12:04:22 |
m1cr0man | Download tenor_gif9132551967232721932.gif | 13:59:42 |
m1cr0man | osnyx (he/him): I'm just seeing your message now. I personally use Apache and definitely have added new domains to running hosts. What I imagine has gone wrong here is that the Acme module assumes some mechanism will reload nginx when its own config changes irrespective of nginx-config-reload (aka switch-to-configuration will do it). That way the self signed certs get used initially then once renewal succeeds nginx-config-reload will reload it a second time, and http-01 validation succeeds.
Really we just need to look at the order of operations during a rebuild and work from there. I would expect there to be a reload of nginx during the switch, after self signed, and before the renewal service | 14:09:50 |
m1cr0man | Confusing English gonna edit that 😅 | 14:10:47 |
m1cr0man | * osnyx (he/him): I'm just seeing your message now. I personally use Apache and definitely have added new domains to running hosts. What I imagine has gone wrong here is that the Acme module assumes some mechanism will reload nginx when its own config changes irrespective of nginx-config-reload (aka switch-to-configuration will do it). That way the self signed certs get used initially, http-01 validation happens, then once renewal succeeds nginx-config-reload will reload it a second time.
Really we just need to look at the order of operations during a rebuild and work from there. I would expect there to be a reload of nginx during the switch, after self signed, and before the renewal service | 14:11:17 |
osnyx (he/him) |
is that the Acme module assumes some mechanism will reload nginx when its own config changes irrespective of nginx-config-reload
But that cannot happen because the yet-to-be-generated certificate files are already referenced by the new config after switch, irrespectively whether the self-signed services have already run.
| 14:12:14 |
osnyx (he/him) | I read (haven't tried myself) that nginx crashes when the config references nonexisting cert files. This is probably one of the main reasons for the existence of nginx-config-reload, as it has a condition gurad that checks for the existence of cert files. | 14:13:27 |
m1cr0man | Yes indeed. I think Apache silently fails here, and by the time a request is made selfsinged has run. I don't remember how nginx does it.
Actually - bigger point. The test suite is passing 😛 how? I'm pretty sure I have a test for your exact scenario | 14:14:04 |
osnyx (he/him) | I've done a workaround for our own fork of the nginx module now. As we plan to move towards upstream anyways, I'll probably want to get this fixed there as well and will soon-ish try to write a reproducer in the acme tests. Shouldn't be that hard. | 14:15:18 |
osnyx (he/him) | In reply to @m1cr0man:m1cr0man.com Yes indeed. I think Apache silently fails here, and by the time a request is made selfsinged has run. I don't remember how nginx does it.
Actually - bigger point. The test suite is passing 😛 how? I'm pretty sure I have a test for your exact scenario But yeah, I should have a look at ALL the tests. | 14:15:59 |
osnyx (he/him) | I mainly wanted to rule out a "Yes we know it's broken at switch time, but as long as it quickly converges to non-broken due to service retries we're fine with it". | 14:17:42 |
m1cr0man | Yeah no, it shouldn't be broken at all 😛 | 14:24:03 |
m1cr0man | And maybe it is broken and the test suite is sugar coating it with retries, but I don't have time to check right this moment | 14:24:39 |
osnyx (he/him) | I'll investigate further, thanks. | 15:52:28 |
7 Oct 2023 |
| woobilicious joined the room. | 06:00:43 |
12 Oct 2023 |
| ajs124 changed their profile picture. | 21:33:52 |
22 Oct 2023 |
| @janik0:matrix.org joined the room. | 21:04:46 |
23 Oct 2023 |
| globin joined the room. | 09:52:39 |
| globin set a profile picture. | 14:27:53 |
| @robin.gloster:matrix.mayflower.de left the room. | 09:52:42 |
26 Oct 2023 |
K900 | https://hydra.nixos.org/jobset/nixos/unstable-small#tabs-errors | 08:31:31 |
K900 | nixosTests.acme eval errors on master | 08:31:43 |
28 Oct 2023 |
m1cr0man | Do I need to be logged in to see an errors tab? | 11:44:47 |
m1cr0man | oh found it nvm | 11:45:40 |
K900 | Fixed already | 11:46:23 |
m1cr0man | Oh sorry that was from Thursday, yeah I saw your PR thanks for dealing with that. I broke my matrix server and didn't realize until last night and didn't see most messages. | 12:21:31 |
31 Oct 2023 |
K900 | The "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs" flake is back | 07:59:43 |
15 Nov 2023 |
| @grahamc:nixos.orgchanged room power levels. | 16:15:02 |