| 3 Jun 2024 |
 Arian | If there are any volunteers to join the team just yell ;) | 09:45:39 |
 Sandro 🐧 | You could symlink the old hash to the new one if the new directory doesn't exist and the contents are similar enough to be compatible | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org
maybe we should symlink or copy the directory instead of moving? idk. Maybe it's not worth it supporting rollbacks. Just thinking out loud of another failure mode here Copy means you have old, potentially ran out certs | 09:52:47 |
| Sandro 🐧 | In reply to @arianvp:matrix.org
(and it's important. E.g. German government has been issueing LEtsEncrypt certificates for a lot of XMPP servers through MITM'ing through middleboxes at Hetzner datacenters and got caught redhanded multiple times last year) I know of the one case that went on Hackernews.
DNS challenge works against that, does it? | 09:52:47 |
| Sandro 🐧 | I have a PR for a test improvement open for 4 months to prevent sich issues in the future and no one really cared, so I just gave up https://github.com/NixOS/nixpkgs/pull/286999 | 09:52:47 |
| Arian | Yeh no blame on you at all. | 09:53:22 |
| Sandro 🐧 | Going back to null is also not that great because then we rely on the lego defaults which could change in the future | 09:56:08 |
| Sandro 🐧 | If you have a change I could test, throw it over the fence | 10:00:00 |
| Arian | yeh I think the only solution is to do some state mangling.
Or just put in the release notes that the hash changed and call it a day
| 10:00:10 |
| Sandro 🐧 | I really thought we already had that in the release notes... | 10:00:36 |
| Arian | We used to have bugs where we would recreate the same account multiple times: https://github.com/NixOS/nixpkgs/pull/106857 and the account creation rate limiting is very aggressive (5 per day?) But I think we dont run into that issue anymore | 10:00:39 |
| Arian | So the rate-limit issue is probably less of a problem; unless you have A lot of domains | 10:01:25 |
