[09:21:53] <wikibugs>	 10HTTPS, 10Traffic, 10Operations: WMF servers support ESNI? - https://phabricator.wikimedia.org/T205378 (10MoritzMuehlenhoff) p:05Triage>03Normal
[10:22:43] <wikibugs>	 10HTTPS, 10Traffic, 10Operations, 10Upstream: Enable ESNI support on Wikimedia servers - https://phabricator.wikimedia.org/T205378 (10Krenair)
[10:52:27] <wikibugs>	 10netops, 10Operations: Enable cumin1001 in router ACLs - https://phabricator.wikimedia.org/T205513 (10MoritzMuehlenhoff) Works like a charm!
[13:06:23] <Krenair>	 vgutierrez, about?
[13:07:35] <vgutierrez>	 yup
[13:08:23] <Krenair>	 I held back on https://gerrit.wikimedia.org/r/#/c/operations/software/certcentral/+/458939/ despite the CR+1 because of your comment
[13:08:39] <Krenair>	 where do you think we should document the 0 byte PEM files?
[13:09:16] <vgutierrez>	 maybe in the README? at least till we have more extensive documentation in wikitech
[13:09:33] <vgutierrez>	 or even as a comment in the code
[13:09:56] <vgutierrez>	 but I think the README should be better.. cause it's a behaviour that could affect the users
[13:10:29] <Krenair>	 hm
[13:10:31] <Krenair>	 ok
[13:11:09] <vgutierrez>	 and I don't expect for every user to read the source code looking for caveats
[13:12:09] <Krenair>	 yes
[13:13:11] <vgutierrez>	 and IMHO in a non so far away future we should deliver some documentation in wikitech
[13:13:39] <vgutierrez>	 (even if I'm not the biggest fan of writing documentation)
[13:13:43] <paravoid>	 +1 :)
[13:14:02] <vgutierrez>	 hahaha, noted paravoid!
[13:15:58] <Krenair>	 vgutierrez, 
[13:16:03] <Krenair>	 +One thing to note is that there are two stages when certcentral is outputting certificates: the
[13:16:03] <Krenair>	 +initial, self-signed certificate, and the publicly trusted one issued through ACME. The initial
[13:16:03] <Krenair>	 +stage is done to help with cases where web servers need a dummy certificate to start up, which
[13:16:03] <Krenair>	 +may be required in order to *get* the publicly-trusted certificates at all (thus resolving a
[13:16:04] <Krenair>	 +chicken-and-egg problem). A side-effect of this is zero-byte PEM files for the chain, which
[13:16:05] <Krenair>	 +for self-signed certificates is empty.
[13:16:06] <Krenair>	 how's this?
[13:16:45] <Krenair>	 maybe the ACME one isn't necessarily publicly-trusted?
[13:17:01] <Krenair>	 and s/web //
[13:18:19] <vgutierrez>	 yup
[13:18:22] <vgutierrez>	 +1
[13:19:47] <paravoid>	 speaking of docs, and this is potentially a horrible high-level comment (I'm just a manager forgive me), but... the README right now doesn't sound very exciting or sexy :)
[13:20:16] <paravoid>	 this LE cert management thing is a common problem, I'm not sure if the description there fully captures how great this piece of SW is :)
[13:20:52] <Krenair>	 needs ascii art, got it
[13:20:55] <Krenair>	 :)
[13:20:55] <paravoid>	 hahaha
[13:20:55] <vgutierrez>	 you're right, it isn't sexy right now
[13:21:04] <vgutierrez>	 but let's put it in production and then brag about it
[13:21:04] <Krenair>	 but yes
[13:21:06] <vgutierrez>	 not the other way around
[13:21:14] <paravoid>	 fair fair :)
[13:21:38] <vgutierrez>	 I hate conference oriented development :)
[13:22:05] <vgutierrez>	 but it could be FOSDEM worthy IMHO
[13:22:52] <paravoid>	 for sure
[13:27:15] <Krenair>	 vgutierrez, I've updated the change
[14:30:00] <Krenair>	 vgutierrez, was this what you had in mind? https://gerrit.wikimedia.org/r/#/c/operations/software/certcentral/+/459662/3/tests/test_certcentral.py
[14:31:40] <Krenair>	 should make it pretty difficult for someone to accidentally break it without making the test fail