From e540ef02d508944fcf245b845959db7a5d88e0f1 Mon Sep 17 00:00:00 2001 From: Christian Theune Date: Wed, 6 Nov 2024 11:47:30 +0100 Subject: [PATCH] acme: increase certificate check timeouts This helps to better distinguish between DNS issues and other timeouts. --- ...9_PL-133125-ssl-cert-check-timeout_scriv.md | 18 ++++++++++++++++++ nixos/platform/acme.nix | 6 +++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md diff --git a/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md b/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md new file mode 100644 index 000000000..5b45c461d --- /dev/null +++ b/changelog.d/20241106_115939_PL-133125-ssl-cert-check-timeout_scriv.md @@ -0,0 +1,18 @@ + + + +### NixOS XX.XX platform + +- Increase SSL validation check timeout to better distinguish DNS resolution + errors and other causes of timeouts. (PL-133125) diff --git a/nixos/platform/acme.nix b/nixos/platform/acme.nix index 589418e38..6c864d37c 100644 --- a/nixos/platform/acme.nix +++ b/nixos/platform/acme.nix @@ -9,7 +9,11 @@ in lib.listToAttrs (map (n: lib.nameValuePair "ssl_cert_acme_${n}" { notification = "ACME (Letsencrypt) certificate for ${n} is invalid or will expire soon"; - command = "check_http -p 443 -S --sni -C 25,14 -H ${n}"; + # We're using a timeout of 15 seconds because 10 seconds is the timeout + # that will trigger if DNS issues occur and giving the check a higher + # timeout allows us to see those. Otherwise they get hidden behind + # a generic timeout message. + command = "check_http -p 443 -S --sni -C 25,14 -H ${n} -t 15"; interval = 600; }) (lib.attrNames config.security.acme.certs));