diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 14 | ||||
| -rw-r--r-- | nixos/modules/security/acme.xml | 12 | ||||
| -rw-r--r-- | nixos/tests/acme.nix | 6 |
3 files changed, 28 insertions, 4 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 0b8651e8f42..a19d9bb0050 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -395,6 +395,20 @@ php.override { </para> </listitem> <listitem> + <para> + The ACME module has been overhauled for simplicity and maintainability. + Cert generation now implicitly uses the <literal>acme</literal> + user, and the <literal>security.acme.certs._name_.user</literal> option + has been removed. Instead, certificate access from other services is now + managed through group permissions. The module no longer runs lego + twice under certain conditions, and will correctly renew certificates if + their configuration is changed. Services which reload nginx and httpd after + certificate renewal are now properly configured too so you no longer have + to do this manually if you are using HTTPS enabled virtual hosts. A mechanism + for regenerating certs on demand has also been added and documented. + </para> + </listitem> + <listitem> <para> Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 005eebd75c0..17e94bc12fb 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -251,4 +251,16 @@ chmod 400 /var/lib/secrets/certs.secret journalctl -fu acme-example.com.service</literal> and watching its log output. </para> </section> + <section xml:id="module-security-acme-regenerate"> + <title>Regenerating certificates</title> + + <para> + Should you need to regenerate a particular certificate in a hurry, such + as when a vulnerability is found in Let's Encrypt, there is now a convenient + mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal> + will remove all certificate files for the given domain, allowing you to then + <literal>systemctl start acme-example.com.service</literal> to generate fresh + ones. + </para> + </section> </chapter> diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 223945907da..1c83ad3c9d8 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -218,8 +218,7 @@ in import ./make-test-python.nix ({ lib, ... }: { def check_connection(node, domain, retries=3): - if retries == 0: - assert False + assert retries >= 0 result = node.succeed( "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt" @@ -233,8 +232,7 @@ in import ./make-test-python.nix ({ lib, ... }: { def check_connection_key_bits(node, domain, bits, retries=3): - if retries == 0: - assert False + assert retries >= 0 result = node.succeed( "openssl s_client -CAfile /tmp/ca.crt" |