Merge pull request flyingcircusio#1151 from flyingcircusio/PL-133125-…

…ssl-cert-check-timeout PL-133125 acme: increase certificate check timeouts
flyingcircusio · Nov 7, 2024 · 50f1249 · 50f1249
2 parents 4113e66 + e540ef0
commit 50f1249
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md b/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md
@@ -0,0 +1,18 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+
+### NixOS XX.XX platform
+
+- Increase SSL validation check timeout to better distinguish DNS resolution
+  errors and other causes of timeouts. (PL-133125)
diff --git a/nixos/platform/acme.nix b/nixos/platform/acme.nix
@@ -9,7 +9,11 @@ in
     lib.listToAttrs
       (map (n: lib.nameValuePair "ssl_cert_acme_${n}" {
         notification = "ACME (Letsencrypt) certificate for ${n} is invalid or will expire soon";
-        command = "check_http -p 443 -S --sni -C 25,14 -H ${n}";
+        # We're using a timeout of 15 seconds because 10 seconds is the timeout
+        # that will trigger if DNS issues occur and giving the check a higher
+        # timeout allows us to see those. Otherwise they get hidden behind
+        # a generic timeout message.
+        command = "check_http -p 443 -S --sni -C 25,14 -H ${n} -t 15";
         interval = 600;
       })
       (lib.attrNames config.security.acme.certs));