diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-12-13 23:09:23 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-12-28 00:35:45 +0000 |
commit | e5913db0c946b0d3408fc902858cdc2a26f7ad36 (patch) | |
tree | 23f18bed4bc2a89c629ece2f017d46365928bc4d | |
parent | f670e1dc23bab2af7fdd8d7121d9f281d744ed1b (diff) | |
download | nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.tar nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.tar.gz nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.tar.bz2 nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.tar.lz nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.tar.xz nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.tar.zst nixpkgs-e5913db0c946b0d3408fc902858cdc2a26f7ad36.zip |
nixos/acme: update documentation and release notes
The instructions on recreating the cert were missing --what=state. Also added a note on ensuring the group of manual certs is correct.
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 9 | ||||
-rw-r--r-- | nixos/modules/security/acme.xml | 12 |
2 files changed, 17 insertions, 4 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 38262b50899..4138f569c38 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -441,6 +441,15 @@ </listitem> <listitem> <para> + In the ACME module, the data used to build the hash for the account + directory has changed to accomodate new features to reduce account + rate limit issues. This will trigger new account creation on the first + rebuild following this update. No issues are expected to arise from this, + thanks to the new account creation handling. + </para> + </listitem> + <listitem> + <para> <xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option's description was incorrect regarding ownership management and has been simplified greatly. diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 517162d1a7b..3e7c8edfdf7 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -162,6 +162,9 @@ services.httpd = { <xref linkend="opt-security.acme.certs"/>."foo.example.com" = { <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; + # Ensure that the web server you use can read the generated certs + # Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose. + <link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx"; # Since we have a wildcard vhost to handle port 80, # we can generate certs for anything! # Just make sure your DNS resolves them. @@ -257,10 +260,11 @@ chmod 400 /var/lib/secrets/certs.secret <para> Should you need to regenerate a particular certificate in a hurry, such as when a vulnerability is found in Let's Encrypt, there is now a convenient - mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal> - will remove all certificate files for the given domain, allowing you to then - <literal>systemctl start acme-example.com.service</literal> to generate fresh - ones. + mechanism for doing so. Running + <literal>systemctl clean --what=state acme-example.com.service</literal> + will remove all certificate files and the account data for the given domain, + allowing you to then <literal>systemctl start acme-example.com.service</literal> + to generate fresh ones. </para> </section> <section xml:id="module-security-acme-fix-jws"> |