diff options
| author | Vincent Bernat <vincent@bernat.ch> | 2021-05-30 13:12:32 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-06-01 00:43:45 +0200 |
| commit | 632c8e1d54e299f656aa677f25552e1127f12849 (patch) | |
| tree | 01c62b715b94760ea2ef9b8f3199bfcaa32237b2 /nixos/modules/security/acme.nix | |
| parent | 774fe1878b045411e6bdd0dd90d8581e82b10993 (diff) | |
| download | nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.tar nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.tar.gz nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.tar.bz2 nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.tar.lz nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.tar.xz nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.tar.zst nixpkgs-632c8e1d54e299f656aa677f25552e1127f12849.zip | |
nixos/acme: don't use --reuse-key
Reusing the same private/public key on renewal has two issues: - some providers don't accept to sign the same public key again (Buypass Go SSL) - keeping the same private key forever partly defeats the purpose of renewing the certificate often Therefore, let's remove this option. People wanting to keep the same key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the previous behavior. Alternatively, we could put this as an option whose default value is true.
Diffstat (limited to 'nixos/modules/security/acme.nix')
| -rw-r--r-- | nixos/modules/security/acme.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index eb3599b924d..c0250171109 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -152,7 +152,7 @@ let ); renewOpts = escapeShellArgs ( commonOpts - ++ [ "renew" "--reuse-key" ] + ++ [ "renew" ] ++ optionals data.ocspMustStaple [ "--must-staple" ] ++ data.extraLegoRenewFlags ); |