nixos/acme: update documentation and release notes

The instructions on recreating the cert were missing --what=state. Also added a note on ensuring the group of manual certs is correct.
2020-12-13 23:09:23 +00:00 · 2020-12-13 23:09:23 +00:00 · e5913db0c9
parent f670e1dc23
commit e5913db0c9
2 changed files with 17 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@ -439,6 +439,15 @@
     been dropped from upstream releases.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     In the ACME module, the data used to build the hash for the account
+     directory has changed to accomodate new features to reduce account
+     rate limit issues. This will trigger new account creation on the first
+     rebuild following this update. No issues are expected to arise from this,
+     thanks to the new account creation handling.
+    </para>
+   </listitem>
   <listitem>
    <para>
     <xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@ -162,6 +162,9 @@ services.httpd = {
 <xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
  <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges";
  <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
+  # Ensure that the web server you use can read the generated certs
+  # Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose.
+  <link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx";
  # Since we have a wildcard vhost to handle port 80,
  # we can generate certs for anything!
  # Just make sure your DNS resolves them.
@ -257,10 +260,11 @@ chmod 400 /var/lib/secrets/certs.secret
  <para>
   Should you need to regenerate a particular certificate in a hurry, such
   as when a vulnerability is found in Let's Encrypt, there is now a convenient
-   mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
-   will remove all certificate files for the given domain, allowing you to then
-   <literal>systemctl start acme-example.com.service</literal> to generate fresh
-   ones.
+   mechanism for doing so. Running
+   <literal>systemctl clean --what=state acme-example.com.service</literal>
+   will remove all certificate files and the account data for the given domain,
+   allowing you to then <literal>systemctl start acme-example.com.service</literal>
+   to generate fresh ones.
  </para>
 </section>
 <section xml:id="module-security-acme-fix-jws">