forked from mirrors/nixpkgs
nixos/acme: update documentation and release notes
The instructions on recreating the cert were missing --what=state. Also added a note on ensuring the group of manual certs is correct.
This commit is contained in:
parent
f670e1dc23
commit
e5913db0c9
|
@ -439,6 +439,15 @@
|
||||||
been dropped from upstream releases.
|
been dropped from upstream releases.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
In the ACME module, the data used to build the hash for the account
|
||||||
|
directory has changed to accomodate new features to reduce account
|
||||||
|
rate limit issues. This will trigger new account creation on the first
|
||||||
|
rebuild following this update. No issues are expected to arise from this,
|
||||||
|
thanks to the new account creation handling.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
<xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
|
<xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
|
||||||
|
|
|
@ -162,6 +162,9 @@ services.httpd = {
|
||||||
<xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
|
<xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
|
||||||
<link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges";
|
<link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges";
|
||||||
<link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
|
<link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
|
||||||
|
# Ensure that the web server you use can read the generated certs
|
||||||
|
# Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose.
|
||||||
|
<link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx";
|
||||||
# Since we have a wildcard vhost to handle port 80,
|
# Since we have a wildcard vhost to handle port 80,
|
||||||
# we can generate certs for anything!
|
# we can generate certs for anything!
|
||||||
# Just make sure your DNS resolves them.
|
# Just make sure your DNS resolves them.
|
||||||
|
@ -257,10 +260,11 @@ chmod 400 /var/lib/secrets/certs.secret
|
||||||
<para>
|
<para>
|
||||||
Should you need to regenerate a particular certificate in a hurry, such
|
Should you need to regenerate a particular certificate in a hurry, such
|
||||||
as when a vulnerability is found in Let's Encrypt, there is now a convenient
|
as when a vulnerability is found in Let's Encrypt, there is now a convenient
|
||||||
mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
|
mechanism for doing so. Running
|
||||||
will remove all certificate files for the given domain, allowing you to then
|
<literal>systemctl clean --what=state acme-example.com.service</literal>
|
||||||
<literal>systemctl start acme-example.com.service</literal> to generate fresh
|
will remove all certificate files and the account data for the given domain,
|
||||||
ones.
|
allowing you to then <literal>systemctl start acme-example.com.service</literal>
|
||||||
|
to generate fresh ones.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="module-security-acme-fix-jws">
|
<section xml:id="module-security-acme-fix-jws">
|
||||||
|
|
Loading…
Reference in a new issue