New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACME: default to Let's Encrypt's staging CA. #31122
Conversation
The goal is to avoid hitting rate limits too soon by default, which is pretty bad when it hits you (for instance when NixOps forced you to reinstall your instance more than five times in a week)
nixos/modules/security/acme.nix
Outdated
@@ -139,6 +139,19 @@ in | |||
''; | |||
}; | |||
|
|||
production = mkOption { | |||
type = types.bool; | |||
default = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This at least needs to default to true, we can't just break everyone's LE installs.
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains); | ||
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) | ||
++ (if cfg.production then [] | ||
else ["--server" "https://acme-staging.api.letsencrypt.org/directory"]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That change would at least requiring a release note entry.
UPDATE: now production defaults to true
so old behavior is restored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do I do this?
nixos/modules/security/acme.nix
Outdated
|
||
See | ||
<literal>https://letsencrypt.org/docs/staging-environment</literal> | ||
for more detail. ''; }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is some weird closing of quotes and braces, please keep to the style used in the rest of this file :)
What is the staging CA and what are the consequences of switching to it? |
We didn't switch it, the outcome was to add a |
The staging CA is a CA that is not in browsers, for debugging purposes. The motivation for this change is that I hit the limit of Let's Encrypt certificate requests after NixOps crashed my GCE instances five times over three consecutive days, screwing my SSH access every single time. Now I have to wait four more days before I can ask for a certificate again. |
Motivation for this change
The goal is to avoid hitting rate limits too soon by default, which is
pretty bad when it hits you (for instance when NixOps forced you to
reinstall your instance more than five times in a week)
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)