nixos/acme: don't use --reuse-key

Reusing the same private/public key on renewal has two issues:

 - some providers don't accept to sign the same public key
   again (Buypass Go SSL)

 - keeping the same private key forever partly defeats the purpose of
   renewing the certificate often

Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
This commit is contained in:
Vincent Bernat 2021-05-30 13:12:32 +02:00 committed by Martin Weinelt
parent 774fe1878b
commit 632c8e1d54
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
2 changed files with 11 additions and 1 deletions

View file

@ -804,6 +804,16 @@ environment.systemPackages = [
the deprecated <option>services.radicale.config</option> is used.
</para>
</listitem>
<listitem>
<para>
In the <option>security.acme</option> module, use of <literal>--reuse-key</literal>
parameter for Lego has been removed. It was introduced for HKPK, but this security
feature is now deprecated. It is a better security practice to rotate key pairs
instead of always keeping the same. If you need to keep this parameter, you can add
it back using <literal>extraLegoRenewFlags</literal> as an option for the
appropriate certificate.
</para>
</listitem>
</itemizedlist>
</section>

View file

@ -152,7 +152,7 @@ let
);
renewOpts = escapeShellArgs (
commonOpts
++ [ "renew" "--reuse-key" ]
++ [ "renew" ]
++ optionals data.ocspMustStaple [ "--must-staple" ]
++ data.extraLegoRenewFlags
);