nixos/acme: update documentation and release notes
The instructions on recreating the cert were missing --what=state. Also added a note on ensuring the group of manual certs is correct.
This commit is contained in:
parent
f670e1dc23
commit
e5913db0c9
@ -439,6 +439,15 @@
|
||||
been dropped from upstream releases.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
In the ACME module, the data used to build the hash for the account
|
||||
directory has changed to accomodate new features to reduce account
|
||||
rate limit issues. This will trigger new account creation on the first
|
||||
rebuild following this update. No issues are expected to arise from this,
|
||||
thanks to the new account creation handling.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
|
||||
|
@ -162,6 +162,9 @@ services.httpd = {
|
||||
<xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
|
||||
<link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges";
|
||||
<link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
|
||||
# Ensure that the web server you use can read the generated certs
|
||||
# Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose.
|
||||
<link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx";
|
||||
# Since we have a wildcard vhost to handle port 80,
|
||||
# we can generate certs for anything!
|
||||
# Just make sure your DNS resolves them.
|
||||
@ -257,10 +260,11 @@ chmod 400 /var/lib/secrets/certs.secret
|
||||
<para>
|
||||
Should you need to regenerate a particular certificate in a hurry, such
|
||||
as when a vulnerability is found in Let's Encrypt, there is now a convenient
|
||||
mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
|
||||
will remove all certificate files for the given domain, allowing you to then
|
||||
<literal>systemctl start acme-example.com.service</literal> to generate fresh
|
||||
ones.
|
||||
mechanism for doing so. Running
|
||||
<literal>systemctl clean --what=state acme-example.com.service</literal>
|
||||
will remove all certificate files and the account data for the given domain,
|
||||
allowing you to then <literal>systemctl start acme-example.com.service</literal>
|
||||
to generate fresh ones.
|
||||
</para>
|
||||
</section>
|
||||
<section xml:id="module-security-acme-fix-jws">
|
||||
|
Loading…
Reference in New Issue
Block a user