Anders

*ping

Here's a minimal reproduce in a self-contained Dockerfile (though now I'm not getting the `incomaptible key usage` in the log. The renewal still fails however, and changing the `--not-after=1s` on...

Oooh, so because the certificate is expired authentication uses X5CInsecure with JWT instead of mTLS, which is what triggers this codepath?

But that's fine, the client cert *has* client auth: ``` X509v3 extensions: X509v3 Authority Key Identifier: keyid:17:E0:10:F6:11:7E:B2:16:9F:DB:21:A1:36:D7:10:06:57:F1:8B:F4 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: Client...

Thank you for the super quick answer! > unfortunately there's no way to disable client cert request just for the HTTP01 challenges as this is configured per port (443) and...

You know, having thought a bit about this I think the entire approach might be wrong. mTLS is such a different beast from how Pomerium otherwise does things, that fully...

> if you have any specific suggestions or feature requests please feel free to share them. I haven't been able to find a discussion or issue related to this, so...

@kenjenkins That's actually exactly what I have done now! There are still some deps that require a little bit of documentation before publishing it. Basically the config for my "mTLS...

The main purpose is to have the CI tell you (e.g. a Github "build failed" email) that something is up, not to see red all over the place. So I...

Oh yeah, that might be it. I have a shutdown procedure with a function that looks like this: ``` export async function closeTracer(context: RootLogContext) { if (isTracerContext(context)) { const {...