diff options
author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2021-06-01 00:59:09 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-01 00:59:09 +0200 |
commit | e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df (patch) | |
tree | a71d2ef5b753bdca4ab29a7a8d7c1df843ae4f5c /nixos | |
parent | 78f495f7244f2b9ba077d2360008849fc4592ffb (diff) | |
parent | 632c8e1d54e299f656aa677f25552e1127f12849 (diff) | |
download | nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.tar nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.tar.gz nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.tar.bz2 nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.tar.lz nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.tar.xz nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.tar.zst nixpkgs-e09bfc5d1c50ca1bcb2c125472a4b641fb85b3df.zip |
Merge pull request #124950 from vincentbernat/fix/acme-no-reuse-key
nixos/acme: don't use --reuse-key
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2105.xml | 10 | ||||
-rw-r--r-- | nixos/modules/security/acme.nix | 2 |
2 files changed, 11 insertions, 1 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index 12a9ae2f44e..489d74e1aef 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -804,6 +804,16 @@ environment.systemPackages = [ the deprecated <option>services.radicale.config</option> is used. </para> </listitem> + <listitem> + <para> + In the <option>security.acme</option> module, use of <literal>--reuse-key</literal> + parameter for Lego has been removed. It was introduced for HKPK, but this security + feature is now deprecated. It is a better security practice to rotate key pairs + instead of always keeping the same. If you need to keep this parameter, you can add + it back using <literal>extraLegoRenewFlags</literal> as an option for the + appropriate certificate. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index eb3599b924d..c0250171109 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -152,7 +152,7 @@ let ); renewOpts = escapeShellArgs ( commonOpts - ++ [ "renew" "--reuse-key" ] + ++ [ "renew" ] ++ optionals data.ocspMustStaple [ "--must-staple" ] ++ data.extraLegoRenewFlags ); |