| 16 Feb 2026 |
|  pneumatic changed their profile picture. | 15:17:47 |
| 17 Feb 2026 |
 hexa | @m1cr0man are we on the same page regarding self-signed certs, CSRs and minica? | 01:09:56 |
| hexa | the sanest way to extract SANs from a CSR I found is cfssl certinfo | 01:15:21 |
| hexa | and then we could pipe them back into the minica commandline | 01:15:36 |
| 22 Feb 2026 |
|  Tiger joined the room. | 02:54:35 |
| 1 Mar 2026 |
|  Octopus joined the room. | 01:17:34 |
| 2 Mar 2026 |
|  L. Croft joined the room. | 20:39:38 |
| 6 Mar 2026 |
|  Theuni changed their display name from Christian Theune to Theuni. | 19:57:15 |
| 11 Mar 2026 |
| Theuni changed their display name from Theuni to Christian Theune. | 14:11:06 |
| 12 Mar 2026 |
| Theuni changed their display name from Christian Theune to Theuni. | 07:17:22 |
| 13 Mar 2026 |
|  @katzenmann:frei.chat joined the room. | 20:58:51 |
| hexa | got two support requests today for | 21:08:18 |
| hexa | Could not validate ARI 'replaces' field :: requester account did not request the certificate being replaced by this order
| 21:08:20 |
| @katzenmann:frei.chat left the room. | 21:08:35 |
| hexa | this happens when the email address for a certificate gets changed | 21:08:41 |
| hexa | one solution is to yank the whole cert and request a new one | 21:08:57 |
| hexa | wondering if we can and want to try to couple certificates harder with the account name | 21:09:45 |
| 14 Mar 2026 |
 m1cr0man | how does this happen? Like is there cert authorities that let you do it OOB? | 01:29:52 |
| hexa | security.acme.defaults.email = "foo" -> "bar" | 01:36:13 |
| hexa | then we register a new account I guess | 01:36:24 |
| hexa | but the regular quiet renews ask for ari and that raises that error | 01:36:41 |
| hexa | for existing certificates that were created under the foo account | 01:36:52 |
 emily | LE don't even store emails any more, right? | 01:37:29 |
| emily | so the email value is just … changing the hash of the account but not anything about the data that actually gets retained on their end? | 01:37:55 |
| hexa | they don't, but other acme providers might | 01:39:33 |
| hexa | a hash change registers a new account, right? | 01:39:49 |
| hexa | so we have certs in store that don't belong to the new account and therefore fail renewal | 01:40:12 |
| emily | right | 01:42:36 |
| emily | I mean… it might make sense to warn if an email is set / omit it from the hash for LE servers, say | 01:43:08 |
| emily | but that is its own migration separate | 01:43:23 |
