nixos/acme: don't use --reuse-key

Reusing the same private/public key on renewal has two issues:

 - some providers don't accept to sign the same public key
   again (Buypass Go SSL)

 - keeping the same private key forever partly defeats the purpose of
   renewing the certificate often

Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.

(cherry picked from commit 632c8e1d54e299f656aa677f25552e1127f12849)
This commit is contained in:
Vincent Bernat 2021-05-30 13:12:32 +02:00 committed by github-actions[bot]
parent 75f90eedcf
commit cbe0e663ec
2 changed files with 11 additions and 1 deletions

View File

@ -795,6 +795,16 @@ environment.systemPackages = [
the deprecated <option>services.radicale.config</option> is used. the deprecated <option>services.radicale.config</option> is used.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
In the <option>security.acme</option> module, use of <literal>--reuse-key</literal>
parameter for Lego has been removed. It was introduced for HKPK, but this security
feature is now deprecated. It is a better security practice to rotate key pairs
instead of always keeping the same. If you need to keep this parameter, you can add
it back using <literal>extraLegoRenewFlags</literal> as an option for the
appropriate certificate.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

View File

@ -152,7 +152,7 @@ let
); );
renewOpts = escapeShellArgs ( renewOpts = escapeShellArgs (
commonOpts commonOpts
++ [ "renew" "--reuse-key" ] ++ [ "renew" ]
++ optionals data.ocspMustStaple [ "--must-staple" ] ++ optionals data.ocspMustStaple [ "--must-staple" ]
++ data.extraLegoRenewFlags ++ data.extraLegoRenewFlags
); );