Merge pull request flyingcircusio#1151 from flyingcircusio/PL-133125-ssl-cert-check-timeout

PL-133125 acme: increase certificate check timeouts

Author: osnyx

changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md

@@ -0,0 +1,18 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+
+### NixOS XX.XX platform
+
+- Increase SSL validation check timeout to better distinguish DNS resolution
+  errors and other causes of timeouts. (PL-133125)

nixos/platform/acme.nix

@@ -9,7 +9,11 @@ in
     lib.listToAttrs
       (map (n: lib.nameValuePair "ssl_cert_acme_${n}" {
         notification = "ACME (Letsencrypt) certificate for ${n} is invalid or will expire soon";
-        command = "check_http -p 443 -S --sni -C 25,14 -H ${n}";
+        # We're using a timeout of 15 seconds because 10 seconds is the timeout
+        # that will trigger if DNS issues occur and giving the check a higher
+        # timeout allows us to see those. Otherwise they get hidden behind
+        # a generic timeout message.
+        command = "check_http -p 443 -S --sni -C 25,14 -H ${n} -t 15";
         interval = 600;
       })
       (lib.attrNames config.security.acme.certs));