| 2 Oct 2023 |
 osnyx (he/him) | The easiest thing would be (as long as self-signed placeholder certs are used) if it was
<nginx.conf updated> -> <acme-selfsigned service run> -> <nginx-reload-config.service> -> <acme-renew run> -> <nginx-reload-config.service> -> <acme-finished target> | 12:53:04 |
| osnyx (he/him) | Unfortunately, the same service cannot be run mutliple times within the dependency chain of a service (AFAIK). So I am thinking about duplicating the nginx reload service under 2 names to run it before and after an acme renewal.
But maybe there's a better option or I am just holding thing the wrong end here. | 12:54:38 |
| osnyx (he/him) | * As nginx is reloaded even after failing acme service runs, the next retry of the service succeeds and after a few minutes, the certs are successfully validated. But the initial switch-to-configuration exits with a failure code. This is not very useful if you call taht switch as a part of a deployment script. | 13:02:42 |
| osnyx (he/him) | * Unfortunately, the same service cannot be run mutliple times within the dependency chain of a service (AFAIK). So I am thinking about duplicating the nginx reload service under 2 names to run it before and after an acme renewal.
But maybe there's a better option or I am just holding things the wrong end here. | 13:15:34 |
| 3 Oct 2023 |
|  @pederbs:pvv.ntnu.no changed their profile picture. | 21:04:38 |
| 4 Oct 2023 |
| @pederbs:pvv.ntnu.no changed their profile picture. | 22:20:32 |
| 5 Oct 2023 |
 hexa | https://gist.github.com/mweinelt/3993fdc7be3caf81bcff1bc506f44922 | 12:04:19 |
| hexa | m1cr0man: 🙂 | 12:04:22 |
 m1cr0man | 
Download tenor_gif9132551967232721932.gif | 13:59:42 |
| m1cr0man | osnyx (he/him): I'm just seeing your message now. I personally use Apache and definitely have added new domains to running hosts. What I imagine has gone wrong here is that the Acme module assumes some mechanism will reload nginx when its own config changes irrespective of nginx-config-reload (aka switch-to-configuration will do it). That way the self signed certs get used initially then once renewal succeeds nginx-config-reload will reload it a second time, and http-01 validation succeeds.
Really we just need to look at the order of operations during a rebuild and work from there. I would expect there to be a reload of nginx during the switch, after self signed, and before the renewal service | 14:09:50 |
| m1cr0man | Confusing English gonna edit that 😅 | 14:10:47 |
