From 76401c9a3b9525032958f10843090a6737abc91e Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Fri, 23 Oct 2020 18:52:42 +0100
Subject: [PATCH 1/3] nixos/acme: lego run whenen account is missing

---
 nixos/modules/security/acme.nix |  3 ++-
 nixos/modules/security/acme.xml | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 5732620f290..3734a06c3fa 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -253,7 +253,8 @@ let
         echo '${domainHash}' > domainhash.txt
 
         # Check if we can renew
-        if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' ]; then
+        # Certificates and account credentials must exist
+        if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a "$(ls -1 accounts)" ]; then
 
           # When domains are updated, there's no need to do a full
           # Lego run, but it's likely renew won't work if days is too low.
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
index 17e94bc12fb..517162d1a7b 100644
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@@ -263,4 +263,28 @@ chmod 400 /var/lib/secrets/certs.secret
    ones.
   </para>
  </section>
+ <section xml:id="module-security-acme-fix-jws">
+  <title>Fixing JWS Verification error</title>
+
+  <para>
+   It is possible that your account credentials file may become corrupt and need
+   to be regnerated. In this scenario lego will produce the error <literal>JWS verification error</literal>.
+   The solution is to simply delete the associated accounts file and
+   re-run the affected service(s).
+  </para>
+
+<programlisting>
+# Find the accounts folder for the certificate
+systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*'
+export accountdir="$(!!)"
+# Move this folder to some place else
+mv /var/lib/acme/.lego/$accountdir{,.bak}
+# Recreate the folder using systemd-tmpfiles
+systemd-tmpfiles --create
+# Get a new account and reissue certificates
+# Note: Do this for all certs that share the same account email address
+systemctl start acme-example.com.service
+</programlisting>
+
+ </section>
 </chapter>

From 79ecf069f5d71fb151b895b7de5f3d0fae7ce32a Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Sat, 24 Oct 2020 20:40:02 +0100
Subject: [PATCH 2/3] nixos/acme: Add data.email to othersHash in nixos > 20.09

---
 nixos/modules/security/acme.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 3734a06c3fa..69f5a4e4cae 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -104,7 +104,12 @@ let
     mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
     certDir = mkHash hashData;
     domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
-    othersHash = mkHash "${toString acmeServer} ${data.keyType}";
+    othersHash = mkHash (
+      "${toString acmeServer} ${data.keyType}"
+      + (
+        optionalString (versionOlder "20.09" config.system.stateVersion) data.email
+      )
+    );
     accountDir = "/var/lib/acme/.lego/accounts/" + othersHash;
 
     protocolOpts = if useDns then (

From e3120397a5a560bd4fd5231eb1e87c5ca73d7ef3 Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Fri, 18 Dec 2020 12:57:35 +0000
Subject: [PATCH 3/3] nixos/acme: Remove dependency on system version for hash

This means that all systems running from master will trigger
new certificate creation on next rebuild. Race conditions around
multiple account creation are fixed in #106857, not this commit.
---
 nixos/modules/security/acme.nix | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 69f5a4e4cae..f427ae9d1c6 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -104,12 +104,7 @@ let
     mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
     certDir = mkHash hashData;
     domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
-    othersHash = mkHash (
-      "${toString acmeServer} ${data.keyType}"
-      + (
-        optionalString (versionOlder "20.09" config.system.stateVersion) data.email
-      )
-    );
+    othersHash = mkHash "${toString acmeServer} ${data.keyType} ${data.email}";
     accountDir = "/var/lib/acme/.lego/accounts/" + othersHash;
 
     protocolOpts = if useDns then (