NixOS ACME / LetsEncrypt

34 Members
Another day, another cert renewal18 Servers

Load older messages

4 Oct 2021
@hexa:lossy.networkhexa extraLegoFlags probably does lego $extraLegoFlags <run/renew> 12:38:04
@hexa:lossy.networkhexa * extraLegoFlags probably does lego $extraLegoFlags <run/renew> 12:38:06
@hexa:lossy.networkhexawhile the others append12:38:10
@hexa:lossy.networkhexawould have to look that up though12:38:16
In reply to @aanderse:nixos.dev
any chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody
i don't have many details, sorry, short on time
updated lego nevertheless. https://github.com/NixOS/nixpkgs/pull/140479
In reply to @hexa:lossy.network
some location block shadowing the webroot?
try removing the location blocks one by one to rule them out
@dandellion:dodsorf.asDandellionMhm, will try12:55:49
@hexa:lossy.networkhexaalso check your nginx log, it might show you the full path it tried 12:56:14
In reply to @hexa:lossy.network
try removing the location blocks one by one to rule them out

For some crazy reason I had

  services.nginx.virtualHosts = {
    "acmechallenge.dodsorf.as" = {
      # Catchall vhost, will redirect users to HTTPS for all vhosts
      serverAliases = [ "*.dodsorf.as" ];
      # /var/lib/acme/.challenges must be writable by the ACME user
      # and readable by the Nginx user.
      # By default, this is the case.
      locations."/.well-known/acme-challenge" = {
        root = "/var/lib/acme/.challenges";
      locations."/" = {
        return = "301 https://$host$request_uri";

in my config

@dandellion:dodsorf.asDandellionwhich it seems I copied from here https://nixos.org/manual/nixos/stable/#module-security-acme-configuring20:39:35
@dandellion:dodsorf.asDandellionprobably from when I was using traefik or something :)20:40:15
@dandellion:dodsorf.asDandellionThanks for your help!20:40:27
5 Oct 2021
@dguibert:matrix.orgDavid Guibert joined the room.07:01:54
6 Oct 2021
@rosariopulella:matrix.orgRosario Pulella changed their display name from rosariopulella to Rosuavio.10:38:32
@rosariopulella:matrix.orgRosario Pulella changed their display name from Rosuavio to Rosario Pulella.10:44:57
@m1cr0man:m1cr0man.comm1cr0manHey folks 👋 been a while since I've been on Matrix 😅 How are things? Seeing the news about the acme root cert stuff last week, it was nice to know that our module was not going to result in any issues 💪 😉20:21:14
@hexa:lossy.networkhexayeah, the module is really awesome, and we are iterating in small steps on it to make it even better!20:47:23
@hexa:lossy.networkhexatwo things on the 21.11 agenda20:47:33
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/139311 (hardening fix) https://github.com/NixOS/nixpkgs/pull/140743 (design) https://github.com/NixOS/nixpkgs/pull/125256 (stale) https://github.com/NixOS/nixpkgs/pull/140479 (merged)20:48:43
12 Oct 2021
@grahamc:nixos.orggrahamc (he/him)I don't suppose our module supports DNS01 challenges?15:01:20
@grahamc:nixos.orggrahamc (he/him) security.acme.certs.<name>.dnsProvider hmm it seems to... time to read the module 15:02:12
@grahamc:nixos.orggrahamc (he/him)hot dog https://github.com/NixOS/nixpkgs/blob/nixos-21.05/nixos/modules/security/acme.nix#L125-L13115:02:35
@grahamc:nixos.orggrahamc (he/him)this is so much easier than it used to be 15:03:22
@hexa:lossy.networkhexasince 20.09 😁15:06:09
@arianvp:matrix.orgArianYou're welcome!15:11:05
16 Oct 2021
@hexa:lossy.networkhexa m1cr0man: need feedback here https://github.com/NixOS/nixpkgs/pull/139311 15:59:03

There are no newer messages yet.

Back to Room List