kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
<JacobWeisz[m]>
Let's see if we get back to the usual four now.
<isd>
Given that the point of the patch was to make the tests less flaky...
<kentonv>
yeah so I had skimmed the discussion on that thread but it wasn't obvious to me that people were saying the PR itself had introduced new failures, vs. speculating about how to fix more things after that PR
<isd>
It happens.
<kentonv>
turns out monkey-patching out the acme.js phone-home was easy...
<kentonv>
import Maintainers from "@root/acme/maintainers.js";
<kentonv>
Maintainers.init = () => {};
<kentonv>
JavaScript...
<isd>
yay?
<kentonv>
release is out. If you want your sandcats server to use Let's Encrypt, currently you still have to go create your ACME account in the new TLS settings
<kentonv>
I think I'll hold off on a blog post until we've done a little testing. Maybe I'll announce it when we actually cut over all of sandcats.
<JacobWeisz[m]>
Cool
<JacobWeisz[m]>
Also cool is 0.263 should do better on Qualys' test! :D
<kentonv>
Yep, got an A
<JacobWeisz[m]>
Ian, how do you feel about me merging #3158 and #3164 on the "probably better than what we have" concept, and the fact that reverse proxy configs aren't going to be our main strategy going forwards anyhow?
<JacobWeisz[m]>
They do things like disabling TLS 1.0 and 1.1 and updating the ciphers presumably at least better than what we have in Docs now.
digitalcircuit has quit [Quit: Signing off from Quassel - see ya!]
digitalcircuit has joined #sandstorm
<isd>
SGTM
<JacobWeisz[m]>
I sent a quick PR for the FAQ re Let's Encrypt. The actual SSL doc page needs much more work.
<JacobWeisz[m]>
I'd like to see the sniproxy guide PR taken over and finished since right now we just have a dead link to a Sandstorm shared grain for that.
<xet7>
JacobWeisz[m]: I have somewhere some email about Haproxy config with many SSL servers like sandstorm and others behind it on same server. Should I try to find that email and add pull request somewhere?
<JacobWeisz[m]>
Only if you'd be confident enough in the instructions and their workability that you'd want to write docs for it.
<xet7>
It's a long time since I got that email. I'm not familiar with haproxy, I have only used it many years ago, so I think I'm not confident enough. Most likely it's PoC that kind of works.
<xet7>
And with all these changes how Let's Encrypt etc works I don't know would that work anymore.
<isd>
I think sniproxy is probably the right thing to recommend here; setup is pretty simple iirc and most folks aren't going to need the high-availability stuff that haproxy does.
<xet7>
Ok thanks!
<JacobWeisz[m]>
Presumably if someone does it in the future perhaps they will write docs for it. And if that doesn't happen it probably wasn't that needed.
<kentonv>
we should add a `sandstorm tls-keys <keyfile> <certfile>` command that directly injects the key/cert into the database. Would help when you can't convince your browser to accept an invalid cert to get to the web UI, and would also be convenient for scripting e.g. if you want to use certbot.
<kentonv>
man I'm so relieved not to have the impending sandcats globalsign contract expiration hanging over me, can finally spend a few weekends just playing videogames and not feel bad about it
<JacobWeisz[m]>
Seems sensible and helpful. Let's open an issue for now?
<kentonv>
I'll write one
<JacobWeisz[m]>
And thanks for all your work on this project, it'll also make life a lot easier for non-Sandcats users too.
<JacobWeisz[m]>
I know the code was not exciting, but the benefits are!