12 Feb 2023 |
m1cr0man | Oh right I finally understand 180980 properly, better than I did in September :P | 18:31:20 |
m1cr0man | There, I left a big reply in 199033, I did out a truth table for his proposal, which a) took way too long to figure out the implications and b) turned out to be needlessly complicated and I would think harmful to some existing configs. | 20:25:04 |
16 Feb 2023 |
m1cr0man | Hm, interesting https://github.com/NixOS/nixpkgs/issues/216487 I'll do my best to explain why it exists. | 09:29:55 |
m1cr0man | Tldr the conditionPathExists is needed to ensure successful reload when vhosts with new certs are added, and it performs batching too | 09:32:27 |
m1cr0man | Actually, there might be a way to reduce the number of reloads with some file touching | 09:35:22 |
m1cr0man | But that's extra complexity to solve a non issue afaik. What harm does extra reloading do? | 09:35:55 |
23 Feb 2023 |
raitobezarius | Breaking TCP connections basically | 05:04:00 |
raitobezarius | Hm no reload keeps the existing ones * | 05:04:40 |
4 Mar 2023 |
raitobezarius | I have a NixOS test using curl to test TLS-related stuff:
webserver # * Server certificate:
webserver # * subject: CN=*.test.nix
webserver # * start date: Jan 30 03:41:18 2023 GMT
webserver # * expire date: Jan 30 03:41:18 2043 GMT
webserver # * subjectAltName does not match direct.noproxy.test.nix
webserver # * SSL: no alternative certificate subject name matches target host name 'direct.noproxy.test.nix'
I am using ACME snakeoil certs, but for some reason, my wildcard cert with CN=.test.nix and SAN=[.test.nix] is not considered as valid by curl, though openssl -showcerts -connect validates the chain properly… (I used security.pki.certificateFiles)
| 19:41:47 |
raitobezarius | Does anyone understand how I can get curl to debug this or is it an instance of curl failing because the CN contain * and this is not really allowed? | 19:42:06 |
raitobezarius | It seems like minica is doing this and I have no real control over this | 19:42:14 |
raitobezarius | CN=*.test.nix and SAN=[*.test.nix] * | 19:44:03 |
m1cr0man | have you passed the snakeoil root CA into the CA bundle for curl? | 20:01:33 |
m1cr0man | oh wait I see what's wrong - you actually can't use a wildcard for 2+ nested domains | 20:01:51 |
m1cr0man | noproxy.test.nix would work, direct-noproxy.test.nix would also work, but what you have is invalid, you would need a wildcard for that subdomain | 20:02:16 |
raitobezarius | Aaaaah | 22:52:53 |
raitobezarius | Thanks m1cr0man:! | 22:53:21 |
m1cr0man | No bother! :) | 22:53:36 |
6 Mar 2023 |
hexa | https://hydra.nixos.org/log/fn9hp25w7h8na36gfyqkrfpfmlrffksj-vm-test-run-acme.drv | 08:15:38 |
hexa | on unstable-small | 08:15:41 |
hexa |
https://hydra.nixos.org/log/fn9hp25w7h8na36gfyqkrfpfmlrffksj-vm-test-run-acme.drv
| 08:15:46 |
hexa | *
Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"
| 08:15:51 |
m1cr0man | Amazing thank you for catching that | 11:25:34 |
hexa | the log is gone | 20:16:52 |
hexa | I'm stupid | 20:16:57 |
hexa | should've dumped it | 20:17:00 |
15 Mar 2023 |
m1cr0man | that one line is literally all I should need to reproduce it :) | 20:37:07 |
24 Mar 2023 |
hexa | Reliability via Automated Renewal Information - https://letsencrypt.org/2023/03/23/improving-resliiency-and-reliability-with-ari.html | 22:18:45 |
25 Mar 2023 |
m1cr0man | Yeah so that's interesting. We do an offline check to get around an issue where ACME would fail in containers that didn't have networking at startup. THere's an old (closed) issue about it lying around, I could probably find it through the git blame. Other than that, we do invoke lego to check renewal and that (as found during that same ticket) already does some online check. I think this is mostly a no-op for us, we already support it as best we can but we kinda need to keep the offline check to avoid that old bug. | 19:28:56 |
m1cr0man | https://github.com/NixOS/nixpkgs/issues/85794 fixed via https://github.com/NixOS/nixpkgs/pull/114752 | 19:29:40 |