diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-10-23 18:52:42 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-10-23 18:52:42 +0100 |
commit | 76401c9a3b9525032958f10843090a6737abc91e (patch) | |
tree | 875ebb7f985873eadf4ab5d6a8e17206ee95fec4 /nixos/modules/security | |
parent | 7c76eafdb7c1c76bb4ce7fb4b4a7a817479b2bdb (diff) | |
download | nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.tar nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.tar.gz nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.tar.bz2 nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.tar.lz nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.tar.xz nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.tar.zst nixpkgs-76401c9a3b9525032958f10843090a6737abc91e.zip |
nixos/acme: lego run whenen account is missing
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme.nix | 3 | ||||
-rw-r--r-- | nixos/modules/security/acme.xml | 24 |
2 files changed, 26 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 5732620f290..3734a06c3fa 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -253,7 +253,8 @@ let echo '${domainHash}' > domainhash.txt # Check if we can renew - if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' ]; then + # Certificates and account credentials must exist + if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a "$(ls -1 accounts)" ]; then # When domains are updated, there's no need to do a full # Lego run, but it's likely renew won't work if days is too low. diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 17e94bc12fb..517162d1a7b 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -263,4 +263,28 @@ chmod 400 /var/lib/secrets/certs.secret ones. </para> </section> + <section xml:id="module-security-acme-fix-jws"> + <title>Fixing JWS Verification error</title> + + <para> + It is possible that your account credentials file may become corrupt and need + to be regnerated. In this scenario lego will produce the error <literal>JWS verification error</literal>. + The solution is to simply delete the associated accounts file and + re-run the affected service(s). + </para> + +<programlisting> +# Find the accounts folder for the certificate +systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*' +export accountdir="$(!!)" +# Move this folder to some place else +mv /var/lib/acme/.lego/$accountdir{,.bak} +# Recreate the folder using systemd-tmpfiles +systemd-tmpfiles --create +# Get a new account and reissue certificates +# Note: Do this for all certs that share the same account email address +systemctl start acme-example.com.service +</programlisting> + + </section> </chapter> |