Merge pull request #124950 from vincentbernat/fix/acme-no-reuse-key

nixos/acme: don't use --reuse-key
This commit is contained in:
Martin Weinelt 2021-06-01 00:59:09 +02:00 committed by GitHub
commit e09bfc5d1c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 1 deletions

View file

@ -804,6 +804,16 @@ environment.systemPackages = [
the deprecated <option>services.radicale.config</option> is used.
</para>
</listitem>
<listitem>
<para>
In the <option>security.acme</option> module, use of <literal>--reuse-key</literal>
parameter for Lego has been removed. It was introduced for HKPK, but this security
feature is now deprecated. It is a better security practice to rotate key pairs
instead of always keeping the same. If you need to keep this parameter, you can add
it back using <literal>extraLegoRenewFlags</literal> as an option for the
appropriate certificate.
</para>
</listitem>
</itemizedlist>
</section>

View file

@ -152,7 +152,7 @@ let
);
renewOpts = escapeShellArgs (
commonOpts
++ [ "renew" "--reuse-key" ]
++ [ "renew" ]
++ optionals data.ocspMustStaple [ "--must-staple" ]
++ data.extraLegoRenewFlags
);