| 17 Feb 2025 |
 hexa | I don't think we currently support ACME Renwal Info (ARI), because don't execute lego when the certificate is not yet outdated | 16:55:13 |
| hexa | https://github.com/go-acme/lego/pull/1912 | 16:55:14 |
 emily | I thought we execute lego like every 24 hours | 16:56:10 |
| hexa | LE are currently sending out mail to their subscribers with recommendations | 16:56:11 |
| emily | did that get conditionalized? | 16:56:15 |
| hexa | hm, let me check | 16:56:26 |
| emily | https://github.com/NixOS/nixpkgs/pull/80856 | 16:56:48 |
| emily | of course the module has changed a lot since then so it's possible we don't reliably execute lego when that timer fires, which would be bad | 16:57:04 |
| hexa | # Check if we can renew.
# We can only renew if the list of domains has not changed.
# We also need an account key. Avoids #190493
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/juno.lossy.network.key' ] && [ -e 'certificates/juno.lossy.network.crt' ] && [ -n "$(find accounts -name 'hexa@darmstadt.ccc.de.key')" ]; then
# Even if a cert is not expired, it may be revoked by the CA.
# Try to renew, and silently fail if the cert is not expired.
# Avoids #85794 and resolves #129838
if ! lego --accept-tos --path . -d juno.lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory renew --no-random-sleep --days 30; then
if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming 30 days"
else
# High number to avoid Systemd reserved codes.
exit 11
fi
fi
# Otherwise do a full run
elif ! lego --accept-tos --path . -d juno.lossy.network --email hexa@darmstadt.ccc.de --key-type ec384 --dns rfc2136 --server https://acme-v02.api.letsencrypt.org/directory run; then
# Produce a nice error for those doing their first nixos-rebuild with these certs
echo Failed to fetch certificates. \
This may mean your DNS records are set up incorrectly. \
Selfsigned certs are in place and dependant services will still start.
# Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.
# High number to avoid Systemd reserved codes.
exit 10
fi
| 16:58:04 |
| hexa | looks like we always call lego | 16:58:13 |
| emily | perhaps we just need to pass an ARI flag then. (not sure why that wouldn't be default) | 16:58:42 |
| hexa | still a draft | 16:59:00 |
| hexa | https://datatracker.ietf.org/doc/draft-ietf-acme-ari/ | 16:59:08 |
| emily | I think it's been deployed at Let's Encrypt for a while though | 17:07:42 |
| emily | (years?) | 17:07:48 |
| hexa | yeah, 2023-2024 | 17:10:23 |
| hexa | they updated the spec a few times | 17:10:30 |
| hexa | securit.acyme.defaultsextraLegoRenewFlags = [
# https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
"--ari-enable"
];
| 17:10:44 |
| hexa | does nothing when the acme endpoint does not offer RenewInfo | 17:11:12 |
| hexa | https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients/#step-5-selecting-a-specific-renewal-time | 17:12:17 |
| hexa | given that lego is not in control about when we run it again that algorithm seems moot | 17:12:30 |
| hexa | --ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
| 17:13:24 |
| hexa | so this needs to stay at 0, since we cannot deviate interactively from the timer schedule | 17:13:41 |
| emily | probably we would need to rearchitect the entire timer logic to implement LE's recommendations | 17:13:54 |
| emily | it's another thing where modern ACME practices are better suited to long-running manager daemons than cron jobs | 17:14:11 |
| emily | we do at least randomize enough to avoid a periodic thundering herd | 17:14:28 |
| hexa | I think for now it would be good to just enable ARI, so lego would do early renewal, even if the cert lifetime is fine | 17:14:31 |
| hexa | * I think for now it would be good to just enable ARI, so lego would do early renewal, even if the perceived cert lifetime is fine | 17:14:37 |
| emily | yes, would be a good incremental improvement, should be harmless to do by default | 17:14:44 |
| hexa | * I think for now it would be good to just enable ARI, so lego would do early renewal, even if the perceived cert lifetime as sufficient | 17:15:04 |
