!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

99 Members
Another day, another cert renewal40 Servers

Load older messages

SenderMessageTime
12 Jan 2026
@emilazy:matrix.orgemilybecause then the CA does its own load balancing across renewal times01:29:15
@emilazy:matrix.orgemilyI implemented the skew back before ARI was a thing01:29:47
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/47920901:50:33
@hexa:lossy.networkhexaI wish we could do something similar for the timer intervall01:51:24
@tom:dragar.deTomis there that much harm in just runniung it more often as the new default?01:53:10
@tom:dragar.deTom* is there that much harm in just running it more often as the new default?01:53:40
@hexa:lossy.networkhexawe're a multiplier, so yes it matters01:56:59
@tom:dragar.deTomfrom my understanding the check on whether to proceed with the renewal is done locally. So it would "only" affect local resources from my understanding?02:04:35
@hexa:lossy.networkhexaRedacted or Malformed Event02:05:05
@hexa:lossy.networkhexa* only while above validMinDays02:05:10
@hexa:lossy.networkhexa* we only fail if above valid min days02:05:24
@hexa:lossy.networkhexaRedacted or Malformed Event02:05:28
@hexa:lossy.networkhexawe run renew always, but only fail if below validMinDays02:06:02
@hexa:lossy.networkhexa 
              if is_expiration_skippable out/full.pem; then
                echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
              else
                # High number to avoid Systemd reserved codes.
                exit 11
02:06:31
@hexa:lossy.networkhexathat's this logic02:06:33
@hexa:lossy.networkhexa * 
            if ! lego ${renewOpts} --days ${toString data.validMinDays}; then
              if is_expiration_skippable out/full.pem; then
                echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
              else
                # High number to avoid Systemd reserved codes.
                exit 11
02:06:46
@tom:dragar.deTomah, okay02:07:36
@hexa:lossy.networkhexa Tom: feel free to test https://github.com/NixOS/nixpkgs/pull/479212 02:12:04
@sandro:supersandro.deSandro 🐧Since I don't want to renew all acme certs for all nixos users again, I leave that to someone experienced 15:53:31
@hexa:lossy.networkhexaimage.png
Download image.png		19:21:06
@hexa:lossy.networkhexa🤔19:21:10
@hexa:lossy.networkhexawell, we use the email as kind of an account name19:26:23
@hexa:lossy.networkhexatough19:26:27
@hexa:lossy.networkhexaI suppose these are created by lego19:28:44
@hexa:lossy.networkhexaso the question would be how it names them with no email given19:28:53
@hexa:lossy.networkhexa

I decorrelated the email (used by the LE account) and the user ID (used to create files and directories).

19:40:47
@hexa:lossy.networkhexahttps://github.com/go-acme/lego/pull/273619:40:50
@hexa:lossy.networkhexa

const userIDPlaceholder = "noemail@example.com"

19:41:10
@sandro:supersandro.deSandro 🐧looks kind hacky20:44:38
@m1cr0man:m1cr0man.comm1cr0manHey... organising a wedding, and was out of country over christmas. Will try and find time tomorrow evening to review + possibly contribute to some of the acme things. I am still reading all the emails, and it's painful not to have time to respond22:33:08

There are no newer messages yet.

Back to Room ListRoom Version: 6