| fungi | i hadn't looked at the backup errors yet | 00:05 |
|---|---|---|
| fungi | and we could probably upgrade its-base independent of gerrit | 00:05 |
| fungi | though also, storyboard task updating is still working as intended, even in the current state. i guess we just get errors too | 00:06 |
| clarkb | fungi: we can update its-base. We select the versio nto use in our build job definitions | 00:06 |
| fungi | right, i meant we could just do that | 00:10 |
| fungi | and it would probably be compatible | 00:10 |
| *** dviroel is now known as dviroel|out | 00:15 | |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] export ptgbot web https://review.opendev.org/c/opendev/system-config/+/812419 | 02:13 |
| opendevreview | Ian Wienand proposed opendev/zone-opendev.org master: Add CNAME for ptgbot.opendev.org https://review.opendev.org/c/opendev/zone-opendev.org/+/804790 | 02:54 |
| opendevreview | Merged opendev/zone-opendev.org master: Add CNAME for ptgbot.opendev.org https://review.opendev.org/c/opendev/zone-opendev.org/+/804790 | 03:02 |
| opendevreview | Ian Wienand proposed opendev/system-config master: Setting Up Ansible For ptgbot https://review.opendev.org/c/opendev/system-config/+/803190 | 03:07 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] export ptgbot web https://review.opendev.org/c/opendev/system-config/+/812419 | 03:07 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] export ptgbot web https://review.opendev.org/c/opendev/system-config/+/812419 | 03:48 |
| opendevreview | Ian Wienand proposed opendev/system-config master: Setup Letsencrypt for ptgbot site https://review.opendev.org/c/opendev/system-config/+/804791 | 05:05 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] export ptgbot web https://review.opendev.org/c/opendev/system-config/+/812419 | 05:05 |
| *** ykarel|away is now known as ykarel | 05:18 | |
| *** ysandeep|out is now known as ysandeep | 05:37 | |
| opendevreview | Ian Wienand proposed opendev/system-config master: Setting Up Ansible For ptgbot https://review.opendev.org/c/opendev/system-config/+/803190 | 06:08 |
| opendevreview | Ian Wienand proposed opendev/system-config master: Setup Letsencrypt for ptgbot site https://review.opendev.org/c/opendev/system-config/+/804791 | 06:08 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] export ptgbot web https://review.opendev.org/c/opendev/system-config/+/812419 | 06:08 |
| opendevreview | Ian Wienand proposed opendev/system-config master: Setup Letsencrypt for ptgbot site https://review.opendev.org/c/opendev/system-config/+/804791 | 06:10 |
| opendevreview | Ian Wienand proposed opendev/system-config master: Setting Up Ansible For ptgbot https://review.opendev.org/c/opendev/system-config/+/803190 | 06:10 |
| opendevreview | Ian Wienand proposed opendev/system-config master: ptgbot: setup web interface https://review.opendev.org/c/opendev/system-config/+/812419 | 06:10 |
| opendevreview | yatin proposed openstack/diskimage-builder master: Drop lower version requirement for networkx https://review.opendev.org/c/openstack/diskimage-builder/+/812453 | 07:26 |
| *** jpena|off is now known as jpena | 07:33 | |
| ianw | fungi: ^ i think that's ready to go, but the gate is unhappy with letsencrypt | 07:54 |
| ianw | https://zuul.opendev.org/t/openstack/build/8b9b9c00fe5646d2bd51258d6c05d1c8/log/review02.opendev.org/acme.sh/acme.sh.log | 07:54 |
| ianw | "type": "urn:ietf:params:acme:error:serverInternal", | 07:54 |
| ianw | "detail": "Error creating new order", | 07:54 |
| ianw | "status": 500 | 07:54 |
| ianw | is pretty much the error that's hitting lots of jobs that use LE | 07:55 |
| *** ykarel is now known as ykarel|lunch | 08:18 | |
| *** ysandeep is now known as ysandeep|lunch | 09:00 | |
| *** ysandeep|lunch is now known as ysandeep | 09:48 | |
| *** ykarel|lunch is now known as ykarel | 10:24 | |
| *** jpena is now known as jpena|lunch | 11:24 | |
| *** dviroel|out is now known as dviroel | 12:07 | |
| opendevreview | daniel.pawlik proposed zuul/zuul-jobs master: DNM https://review.opendev.org/c/zuul/zuul-jobs/+/807031 | 12:13 |
| *** jpena|lunch is now known as jpena | 12:22 | |
| *** ysandeep is now known as ysandeep|afk | 12:34 | |
| fungi | ianw: yeah, i saw one of those 500 errors yesterday from the test api, i guess it's gotten worse today | 12:38 |
| *** artom_ is now known as artom | 13:18 | |
| *** ysandeep|afk is now known as ysandeep | 13:26 | |
| *** dpawlik2 is now known as dpawlik | 13:31 | |
| fungi | ianw: and it's still failing... i wonder if it's time we considered deploying pebble in our jobs: https://letsencrypt.org/docs/staging-environment/#continuous-integration-development-testing | 13:51 |
| fungi | looks like letsencrypt provides images and a docker-compose file | 13:53 |
| *** artom_ is now known as artom | 13:55 | |
| fungi | acme.sh readme mentions support for "Pebble strict Mode" as a cs | 14:00 |
| fungi | ca | 14:00 |
| Clark[m] | In the past LE has been good about fixing the staging env. I agree if that doesn't happen then running our own seems reasonable. We could add it to bridge in the test jobs to avoid adding a node | 14:01 |
| *** ykarel is now known as ykarel|away | 14:03 | |
| fungi | docs indicate acme.sh will take full api urls in its --server parameter, not just the short aliases, so we could run pebble on a high-numbered port on the loopback and just point acme.sh at that | 14:06 |
| clarkb | looks like fungi already rechecked the change having LE trouble. I can sip tea and wait for my meeting then :) | 14:51 |
| fungi | yeah, would like to get ptgbot up and running some time today of le cooperates | 14:54 |
| zigo | clarkb: https://salsa.debian.org/python-team/packages/simplejson/-/commit/320ef98575debcbc056768e19e37fdc2a583b623 | 14:57 |
| zigo | Hopefully, p1otr will upload it soonish ... | 14:57 |
| zigo | Though IMO very little hope for having this corrected in already released suites ... | 14:58 |
| clarkb | zigo: yes, that is why when this first came up ~3 yaers ago we brought it up knowing it would really only get fixed in newer releases :) | 14:58 |
| clarkb | thank you for the update on simplejson | 14:58 |
| clarkb | I wish that the pypa crowd had done a better job with coordinating with packagers too. It seems that latest pip on addressing some of these issues is their recognition they needed to do that | 15:00 |
| clarkb | but a bit late for those of us caught in the middle | 15:00 |
| *** dtantsur_ is now known as dtantsur | 15:10 | |
| clarkb | fungi: https://zuul.opendev.org/t/openstack/build/61c56144d5d648ac8aa8020995f7da3f/log/static01.opendev.org/acme.sh/acme.sh.log#557-561 I think we hit the issue again. Ido wonder if we need to run the static job on that update? | 15:30 |
| clarkb | That host has a ton of certs and I bet our chances of success go up by not running it | 15:30 |
| fungi | i think it's run because we have to update the handlers list every time we add a new site | 15:33 |
| fungi | but yeah maybe we could pick a less intensive job to exercise that | 15:34 |
| clarkb | ah ya that is probably the reason | 15:34 |
| clarkb | fungi: I wonder if we can split up the handlers into multiple files then run only when we update the handler for the specific service | 15:35 |
| clarkb | instead of handlers/main.yaml have a handlers/static.yaml and so on (but I'm not sure how to make ansible see all of those) | 15:35 |
| fungi | maybe it just sees any .yaml file in that directory? | 15:36 |
| fungi | like, automagically? | 15:36 |
| clarkb | but if we can make that work maybe we can haev a handlers/main.yaml and a handlers/eavesdrop.yaml to start | 15:36 |
| clarkb | fungi: maybe? | 15:36 |
| clarkb | "Handler names and listen topics live in a global namespace." <- that implies ya it may be that easy | 15:37 |
| fungi | i can try splitting it out in that change once the call i'm on wraps up | 15:37 |
| clarkb | ++ | 15:37 |
| opendevreview | Jeremy Stanley proposed opendev/system-config master: Setup Letsencrypt for ptgbot site https://review.opendev.org/c/opendev/system-config/+/804791 | 16:00 |
| opendevreview | Jeremy Stanley proposed opendev/system-config master: Setting Up Ansible For ptgbot https://review.opendev.org/c/opendev/system-config/+/803190 | 16:00 |
| fungi | clarkb: diablo_rojo__: ^ | 16:00 |
| fungi | and zuul has correctly not added a system-config-run-static build this time | 16:03 |
| fungi | also one thing i wondered about, reading up on pebble, it apparently by default rejects some percentage of negotiated nonces in order to confirm that clients properly retry... i wonder if their staging api does the same and acme.sh is choking on that? | 16:04 |
| clarkb | oh intersting | 16:12 |
| clarkb | currently we don't fail on the acme.sh run and the job continues until it tries to start apache which does fail | 16:12 |
| clarkb | but maybe we should check the results properly and retry a few times | 16:12 |
| clarkb | fungi: I think the trick there is capturing acme.sh return codes in our fancy driver.sh | 16:13 |
| fungi | https://github.com/letsencrypt/pebble#invalid-anti-replay-nonce-errors | 16:17 |
| clarkb | I've got an update to the driver.sh and ansibel to try retries in the owrks | 16:21 |
| fungi | looks like acme.sh does retry those: https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L2197-L2202 | 16:23 |
| fungi | also more generally, if you look for the word "retry" you'll find the script is littered with a variety of aggressive retries, so retrying in our driver may not make any difference | 16:24 |
| clarkb | ah ok. I guess that makes sense since acme trie sto do it all | 16:24 |
| clarkb | and ya I agree we shouldn't double up the retries as we'll just send more traffic to an already potentially sad system | 16:25 |
| yuriys | clarkb: fungi: This week I am planning to deploy some placement/nova-scheduler config updates, as well as add a few beefy boys (hardware nodes) to your inmotion cloud. Will need to set to 0 workers for the process. Is there a preferred day/time and do you guys want to do a meets like last time (I'm thinking Fridayish) | 16:29 |
| clarkb | yuriys: The biggest thing is to avoid the openstack release which is happening between now and 1500UTC tomorrow (or about 23 hours from now) | 16:30 |
| clarkb | yuriys: I would say once that is done you can just go for it. Also it might be easiest to modify the quota of max instances to 0 for that work since it should be over quickly | 16:30 |
| *** ysandeep is now known as ysandeep|dinner | 16:30 | |
| yuriys | Sounds good. | 16:30 |
| *** jpena is now known as jpena|off | 16:32 | |
| fungi | clarkb: looks like ~2 weeks ago, the system-config-run-base-ansible-devel job broke, and the error seems to be that ubuntu-bionic's default python3 is too old for it. any ideas how we should approach that? work on upgrading/replacing bridge.o.o? switch to using a non-default python3 on it? something else? | 16:35 |
| fungi | ERROR: Package 'ansible-core' requires a different Python: 3.6.9 not in '>=3.8' | 16:35 |
| clarkb | fungi: maybe update that job to run on focal giving us info about whether or not we can upgrade bridge to focal and update ansible there. But not necessarily itnend on doing that immediately | 16:36 |
| fungi | worth testing, yep | 16:36 |
| fungi | i'll push that up now | 16:36 |
| clarkb | The idea behind that job was to be forward looking and catch future issues. It has done that here and the fix is apparently to update to focal and then we can find the next issue :) | 16:36 |
| clarkb | It is really interesting to me that ansible has decided to stop supporting rhel 8? | 16:40 |
| clarkb | or maybe they use some other python installation on that platform? | 16:40 |
| opendevreview | Jeremy Stanley proposed opendev/system-config master: Test ansible-devel with an ubuntu-focal bridge.o.o https://review.opendev.org/c/opendev/system-config/+/812527 | 16:42 |
| clarkb | fungi: looks like the eavesdrop job failed on that chagne but it didn't run acme.sh at all? or at least we didn't collect acme.sh logs | 16:42 |
| fungi | clarkb: i think you can install newer python on rhel 8 | 16:42 |
| fungi | ERROR! the playbook: playbooks/roles/letsencrypt-create-certs/handlers/eavesdrop.yaml could not be found | 16:44 |
| fungi | yeah that's strange | 16:44 |
| clarkb | https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html hrm handlers/main.yaml might be more special than we were hoping :/ | 16:47 |
| clarkb | I think to make this work we would have to have main.yaml include all the handlers from the other files | 16:48 |
| clarkb | but then we are largely back where we started so it doesn't help as much | 16:48 |
| clarkb | arg I guess our best option is to go back to the old setup. We could maybe drop static triggering on updates to that file temporarily but it is probably correct to keep it generally triggering? | 16:50 |
| opendevreview | Jeremy Stanley proposed opendev/system-config master: Setting Up Ansible For ptgbot https://review.opendev.org/c/opendev/system-config/+/803190 | 16:54 |
| opendevreview | Jeremy Stanley proposed opendev/system-config master: Setup Letsencrypt for ptgbot site https://review.opendev.org/c/opendev/system-config/+/804791 | 16:55 |
| opendevreview | Jeremy Stanley proposed opendev/system-config master: Setting Up Ansible For ptgbot https://review.opendev.org/c/opendev/system-config/+/803190 | 16:55 |
| fungi | apparently if you roll back a parent change to a previous patchset, git-review only ends up pushing the child changes because the commit id for the rolled-back revision is already in gerrit even though it's non-current | 16:56 |
| clarkb | crazy idea: we could stop relying on ansible handlers and instead have specific tasks in the service roles that check certificate file age and restart based on some accounting of that | 16:56 |
| clarkb | that completely does an end around ansible's tool for handling this, but it seems like we constantly fight that tool ... | 16:57 |
| fungi | apparently airship's rtd builds are broken because of https://github.com/readthedocs/readthedocs.org/issues/8555 (letsencrypt root cert situation) | 16:59 |
| *** ysandeep|dinner is now known as ysandeep | 17:33 | |
| fungi | this time system-config-run-static succeeded but system-config-run-mirror-x86 broke on cert issuing | 18:04 |
| fungi | and system-config-run-review-3.2 as well, same root cause | 18:06 |
| fungi | urn:ietf:params:acme:error:serverInternal | 18:07 |
| fungi | https://letsencrypt.status.io/ says everything's fine nothing to see here | 18:11 |
| fungi | failures are happening across iweb, rax, and ovh, so it's not provider-specific at least | 18:16 |
| clarkb | https://letsencrypt.status.io/pages/55957a99e800baa4470002da doesn't report issues | 18:18 |
| clarkb | acme-staging.api.letsencrypt.org is marked deprecated. Any chance we're using an old staging api that isn't getting the same level of attention? | 18:19 |
| fungi | it'll be whatever --staging gets routed to in acme.sh | 18:21 |
| clarkb | https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L26 seems to be the newer v2 api | 18:30 |
| clarkb | woo I think I figured out my DAC issues. It is a usb power problem? I can get it to work if I plug in the aux usb power port. But only with the A to C on the aux and C to C on the data port | 18:39 |
| clarkb | I'm guessing linux has been doing updates to power control over usb | 18:40 |
| *** ysandeep is now known as ysandeep|out | 19:20 | |
| clarkb | ianw: fungi https://etherpad.opendev.org/p/gerrit-3.3-upgrade-prep has notes on the tested gerrit 3.3 -> 3.2 revert process | 19:57 |
| clarkb | I need to eat lunch then I'll start working on the various things I need to review like changes and then work on drafting up that email announcing stuff | 20:01 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] letsencrypt : don't hit staging in the gate https://review.opendev.org/c/opendev/system-config/+/812610 | 20:37 |
| clarkb | ianw: what time were you thinking for the gerrit upgrade monday? fungi pencilled in 20:00-22:00 UTC in the newsletter entry we are putting together. Is taht too early for you ? I think that is very early | 20:41 |
| fungi | i was guessing | 20:44 |
| fungi | happy to move it later | 20:44 |
| clarkb | fungi: ianw: https://etherpad.opendev.org/p/J6WEMSZvaklcW_YCQujI how does that look for announcing things? I shifted the time an hour later as I expect 8am is much better than 7am? | 20:51 |
| clarkb | fungi: also does that time work for renaming? I listed it as 15:00-16:00UTC | 20:52 |
| clarkb | ianw: feel free to update the etherpad with the time range you were considering | 20:52 |
| clarkb | fungi: oh I see you listed 1800-1900 UTC on the 15th for renames. THat works better for me if it works better for you :) | 20:53 |
| clarkb | I'll update the announacement email to match 1800 - 1900 UTC | 20:53 |
| *** dviroel is now known as dviroel|out | 20:55 | |
| fungi | yeah, i figured something west-coast friendly for the renames would be better | 21:00 |
| clarkb | I do have to go do a school run in a few minutes. If ya'll happen to sort out timing for the 10th prior to me getting back feel free to send the email or I'll send it when I get back | 21:01 |
| fungi | should the announcement say to reach out to us about other renames? | 21:01 |
| clarkb | oh good idea as we want to ensure we are aware of the requests | 21:01 |
| clarkb | fungi: how does that edit look | 21:01 |
| fungi | lgtm | 21:02 |
| clarkb | ianw: left a comment on https://review.opendev.org/c/opendev/system-config/+/812610 | 21:14 |
| ianw | sorry, breakfast, back now :) | 21:15 |
| clarkb | no worries I have to pop out in ~3 minutes :) | 21:16 |
| ianw | announcement looks good, thanks | 21:16 |
| clarkb | ianw: those times are good then? | 21:16 |
| clarkb | I've got to be out the door in 3 minutes but can send the email when I get back if no one does it for me :) | 21:16 |
| ianw | yep, that time is fine, gives a bit more overlap | 21:18 |
| ianw | clarkb: iirc the issue is it's like "-d domain.com -d alias.com" "-d domain2.com -d alias2.com" ... i think. i know it's a weird quoting situation | 21:20 |
| ianw | i will make it clearer | 21:22 |
| clarkb | email sent | 21:57 |
| fungi | thanks! | 22:09 |
| clarkb | ianw: your zuul playbook detector change had me very confused for a bit. I was wondering how did thischange get such a low change number. Then it hit me. 2020 not 2021. sorry I haven't reviewed this sooner :/ | 22:14 |
| ianw | np :) | 22:18 |
| ianw | the letsencrypt local only change is making what looks like a good list of TXT keys | 22:19 |
| ianw | https://41620a559c5090d887c6-f99336677cbcb935a72dddbf18215860.ssl.cf5.rackcdn.com/812610/1/check/system-config-run-letsencrypt/5f1260f/bridge.openstack.org/ara-report/results/461.html#ansible_facts_2 | 22:19 |
| ianw | but somehow one of them is missing in the dns zone when it looks | 22:19 |
| ianw | https://41620a559c5090d887c6-f99336677cbcb935a72dddbf18215860.ssl.cf5.rackcdn.com/812610/1/check/system-config-run-letsencrypt/5f1260f/bridge.openstack.org/test-results.html | 22:19 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] letsencrypt : don't hit staging in the gate https://review.opendev.org/c/opendev/system-config/+/812610 | 22:30 |
| clarkb | infra-root I will abandon https://review.opendev.org/c/opendev/system-config/+/811749 since we haven't seen any need for this different less old android friendly chain | 22:44 |
| clarkb | fungi: maybe you can review https://review.opendev.org/c/opendev/system-config/+/809269 and https://review.opendev.org/c/opendev/system-config/+/809286 then tomorrow after openstack release things we can plan to land both. The giteas will automatically restart, but we'll have to plan a gerrit restart for that image | 22:46 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] letsencrypt : don't hit staging in the gate https://review.opendev.org/c/opendev/system-config/+/812610 | 22:51 |
| clarkb | ianw: I left some notes on https://review.opendev.org/c/opendev/system-config/+/807672 | 23:00 |
| clarkb | any idea what the inconsistency for wiki backups was? Doesn't seem to have persisted | 23:05 |
| clarkb | infra-root I'm doing some spring cleaning in my change list and noticed https://review.opendev.org/c/opendev/system-config/+/791832 never got reviews. We don't make new instances often but addressing that might be a good thing | 23:11 |
| clarkb | also its a bit dark magic for me why that works | 23:11 |
| ianw | clarkb: thanks, will rework | 23:16 |
| ianw | i didn't get a chance to look at wiki | 23:16 |
| clarkb | weird, it seems happier now. | 23:17 |
| ianw | every log there has 'rc 0' | 23:18 |
| ianw | ohhh, actually that's from the weekly consistency checker | 23:19 |
| clarkb | aha | 23:20 |
| clarkb | that would explain why it hasn't complained today | 23:20 |
| ianw | https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/borg-backup-server/files/verify-borg-backups.sh this one | 23:20 |
| ianw | Sun Oct 3 05:32:37 UTC 2021 Verifying /opt/backups/borg-wiki-update-test/backup ... | 23:21 |
| ianw | Failed to create/acquire the lock /opt/backups/borg-wiki-update-test/backup/lock.exclusive (timeout). | 23:21 |
| clarkb | oooh a side effect of making the backup times more raendom? | 23:22 |
| ianw | that's ... good. at least it hasn't found corruption | 23:22 |
| clarkb | hrm no because wiki doesn't ansible so that changed times wouldnlt have affect it | 23:22 |
| clarkb | also I can't type | 23:22 |
| ianw | it still could be a conflict, though | 23:23 |
| clarkb | ya | 23:23 |
| ianw | was it running at 05:32 | 23:24 |
| ianw | Sun Oct 3 05:30:01 UTC 2021 Starting backup | 23:24 |
| ianw | the answer would be yes | 23:24 |
| ianw | seriously, talk about murphy's law. of all the backups, chance of these two overlapping ... | 23:25 |
| ianw | ahh, borg has a "with-lock" command. maybe we want that? | 23:27 |
| ianw | hrm, no, that's more if you want to run rsync or something on the underlying data | 23:28 |
| clarkb | https://borgbackup.readthedocs.io/en/stable/usage/lock.html#id3 ya it says you should use it carefully and only to break locks | 23:28 |
| clarkb | oh wait I'm a derop | 23:29 |
| ianw | yeah that's "break-lock" (the page is a bit confusing) | 23:29 |
| clarkb | they have two commands on the same change | 23:29 |
| clarkb | s/change/page/ | 23:29 |
| clarkb | ya I think with-lock is so that you can run things outside of borgs command set while holding the lock | 23:30 |
| clarkb | rsync as you mention for example | 23:30 |
| ianw | looks like there is a "--lock-wait" | 23:30 |
| clarkb | putting that on the consistency checker seems reasonable | 23:31 |
| clarkb | then it can wait until backups complete | 23:31 |
| opendevreview | Ian Wienand proposed opendev/system-config master: borg-backup-server: wait for lock in verify https://review.opendev.org/c/opendev/system-config/+/812622 | 23:35 |
| ianw | ok, still confused on this LE change | 23:38 |
| ianw | the zone file has 6 entries | 23:38 |
| ianw | https://2f1faac4f8989a5ecd02-da3f8077deb18415bd477eebc664cf39.ssl.cf2.rackcdn.com/812610/3/check/system-config-run-letsencrypt/f64d834/bridge.openstack.org/ara-report/results/464.html#msg | 23:38 |
| ianw | the "dig -t txt" we do in testinfra sees 5 | 23:39 |
| ianw | https://2f1faac4f8989a5ecd02-da3f8077deb18415bd477eebc664cf39.ssl.cf2.rackcdn.com/812610/3/check/system-config-run-letsencrypt/f64d834/bridge.openstack.org/test-results.html | 23:39 |
| clarkb | and we don't updte the zone file onces for each record instead we do a single update with all the info iirc | 23:40 |
| clarkb | is it doing a round robin? if you request again you get a different set of 5? | 23:40 |
| clarkb | not sure if TXT records and A records differ in their behavior there | 23:41 |
| ianw | ooohhh, i might have caused a hash collision | 23:41 |
| clarkb | oh yes I see it | 23:41 |
| clarkb | ZsudD | 23:41 |
| ianw | i'm generating the TXT record as a sha256 of the hostname | 23:41 |
| ianw | doh | 23:41 |
| clarkb | ianw: what if you just do a /dev/urandom string setn through tr so that it is alphanum | 23:42 |
| clarkb | or filter out !alphanum | 23:42 |
| ianw | yeah, it's specified as a the base64url encoding of a sha256 sum. i'll just do some entropy on the input. | 23:42 |
| ianw | i mean the TXT record is specified as ... | 23:43 |
| clarkb | oh that is how the acme protocol generates them? | 23:43 |
| clarkb | I figured there was a bit more shared secret involved. But maybe they salt them | 23:44 |
| ianw | oh, it's a sha256 of magic including a jwt that's then used as a check; so yeah the protocol has entropy. i was just trying to make an output that was similar | 23:45 |
| opendevreview | Ian Wienand proposed opendev/system-config master: [wip] letsencrypt : don't hit staging in the gate https://review.opendev.org/c/opendev/system-config/+/812610 | 23:48 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!