You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While this problem is said to be fixed with updated versions of Electron, I still have to support Electron apps packaged with previous versions of Electron. As described in comment 4 to the issue linked above, I can fix that by removing the last certificate in the chains generated in /var/lib/acme/<domain> manually. But the problem on NixOS seems to be, that the file full.pem gets regenerated daily causing Electron clients to fail connecting to my server again.
So I think the correct solution to get a working certificate chain would be to request a different certificate chain which can be done with the lego option --preferred-chain. I can set this option to individual domains using the option security.acme.certs.<name>.extraLegoRunFlags, but it seems to me, that there is no such option working globally on all domains.
I think an option should be added to pass extraLegoRunFlags to all domains. It might even be helpful to make a special configuration option to set the preferred-chain.
Steps To Reproduce
Configure a domain on nginx with enableACME set to true
Check the generated certificates it will have the cross-signed ISRG Root X1 as the last certificate
Access the domain with an electron client, it will fail
remove the cross-signed ISRG Root X1 at the end of the certificate chain an reload nginx
Electron client is able to access the web domain
Expected behavior
On the one hand I'd expect lego not updating my chain, when the certificate is not renewed. On the other hand I'd expect to be able to configure the alternate chain without the need to doing this domain by domain.
This is functionally a duplicate of #138478 in that adding some higher level "default" options for each of the common option in certs would resolve your request :) I am planning to do this work quite soon, and I will be sure to notify the relevant tickets on the PR.
Wrt what you're attempting to solve for here, full.pem should only be regenerated if the fullchain.pem is edited, which in turn should only happen if the certs itself are changed (which should only be on their renewal interval). Is this bug specific to NixOS or is this actually an upstream/lego thing?
Describe the bug
As we know, the DST Root CA X3 that was used to cross sign Let's encrypt certificates has expired on 2021-09-30. While this didn't cause problems for normal browsers, it caused problems with Electron apps. (https://community.letsencrypt.org/t/issues-with-electron-and-expired-root/160991)
While this problem is said to be fixed with updated versions of Electron, I still have to support Electron apps packaged with previous versions of Electron. As described in comment 4 to the issue linked above, I can fix that by removing the last certificate in the chains generated in
/var/lib/acme/<domain>
manually. But the problem on NixOS seems to be, that the filefull.pem
gets regenerated daily causing Electron clients to fail connecting to my server again.So I think the correct solution to get a working certificate chain would be to request a different certificate chain which can be done with the
lego
option--preferred-chain
. I can set this option to individual domains using the optionsecurity.acme.certs.<name>.extraLegoRunFlags
, but it seems to me, that there is no such option working globally on all domains.I think an option should be added to pass extraLegoRunFlags to all domains. It might even be helpful to make a special configuration option to set the preferred-chain.
Steps To Reproduce
enableACME
set to trueExpected behavior
On the one hand I'd expect lego not updating my chain, when the certificate is not renewed. On the other hand I'd expect to be able to configure the alternate chain without the need to doing this domain by domain.
Notify maintainers
@m1cr0man
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.Maintainer information:
The text was updated successfully, but these errors were encountered: