| 23 Feb 2023 |
 raitobezarius | Hm no reload keeps the existing ones * | 05:04:40 |
| 4 Mar 2023 |
| raitobezarius | I have a NixOS test using curl to test TLS-related stuff:
webserver # * Server certificate:
webserver # * subject: CN=*.test.nix
webserver # * start date: Jan 30 03:41:18 2023 GMT
webserver # * expire date: Jan 30 03:41:18 2043 GMT
webserver # * subjectAltName does not match direct.noproxy.test.nix
webserver # * SSL: no alternative certificate subject name matches target host name 'direct.noproxy.test.nix'
I am using ACME snakeoil certs, but for some reason, my wildcard cert with CN=.test.nix and SAN=[.test.nix] is not considered as valid by curl, though openssl -showcerts -connect validates the chain properly… (I used security.pki.certificateFiles)
| 19:41:47 |
| raitobezarius | Does anyone understand how I can get curl to debug this or is it an instance of curl failing because the CN contain * and this is not really allowed? | 19:42:06 |
| raitobezarius | It seems like minica is doing this and I have no real control over this | 19:42:14 |
| raitobezarius | CN=*.test.nix and SAN=[*.test.nix] * | 19:44:03 |
 m1cr0man | have you passed the snakeoil root CA into the CA bundle for curl? | 20:01:33 |
| m1cr0man | oh wait I see what's wrong - you actually can't use a wildcard for 2+ nested domains | 20:01:51 |
| m1cr0man | noproxy.test.nix would work, direct-noproxy.test.nix would also work, but what you have is invalid, you would need a wildcard for that subdomain | 20:02:16 |
| raitobezarius | Aaaaah | 22:52:53 |
| raitobezarius | Thanks m1cr0man:! | 22:53:21 |
| m1cr0man | No bother! :) | 22:53:36 |
| 6 Mar 2023 |
 hexa | https://hydra.nixos.org/log/fn9hp25w7h8na36gfyqkrfpfmlrffksj-vm-test-run-acme.drv | 08:15:38 |
| hexa | on unstable-small | 08:15:41 |
| hexa |
https://hydra.nixos.org/log/fn9hp25w7h8na36gfyqkrfpfmlrffksj-vm-test-run-acme.drv
| 08:15:46 |
| hexa | *
Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"
| 08:15:51 |
| m1cr0man | Amazing thank you for catching that | 11:25:34 |
| hexa | the log is gone | 20:16:52 |
| hexa | I'm stupid | 20:16:57 |
| hexa | should've dumped it | 20:17:00 |
| 15 Mar 2023 |
| m1cr0man | that one line is literally all I should need to reproduce it :) | 20:37:07 |
| 24 Mar 2023 |
| hexa | Reliability via Automated Renewal Information - https://letsencrypt.org/2023/03/23/improving-resliiency-and-reliability-with-ari.html | 22:18:45 |
| 25 Mar 2023 |
| m1cr0man | Yeah so that's interesting. We do an offline check to get around an issue where ACME would fail in containers that didn't have networking at startup. THere's an old (closed) issue about it lying around, I could probably find it through the git blame. Other than that, we do invoke lego to check renewal and that (as found during that same ticket) already does some online check. I think this is mostly a no-op for us, we already support it as best we can but we kinda need to keep the offline check to avoid that old bug. | 19:28:56 |
| m1cr0man | https://github.com/NixOS/nixpkgs/issues/85794 fixed via https://github.com/NixOS/nixpkgs/pull/114752 | 19:29:40 |
| m1cr0man | what would be really nice is if I would hurry my ass up and PR some sort of offline-ok check into lego renew so we can remove all our custom logic | 19:30:23 |
| 5 Apr 2023 |
|  redstone-menace joined the room. | 05:51:14 |
| 6 Apr 2023 |
|  kadawee joined the room. | 01:02:12 |
| 12 Apr 2023 |
|  Yuddite G joined the room. | 09:12:01 |
| 16 Apr 2023 |
| Yuddite G changed their profile picture. | 23:09:28 |
| 26 Apr 2023 |
| Yuddite G changed their display name from Yuddite Pilot to Yuddite Groyper. | 04:49:18 |
| Yuddite G changed their display name from Yuddite Groyper to Yuddite G. | 21:02:56 |
