diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 0b8651e8f42..a19d9bb0050 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -394,6 +394,20 @@ php.override {
 
      </para>
    </listitem>
+   <listitem>
+    <para>
+     The ACME module has been overhauled for simplicity and maintainability.
+     Cert generation now implicitly uses the <literal>acme</literal>
+     user, and the <literal>security.acme.certs._name_.user</literal> option
+     has been removed. Instead, certificate access from other services is now
+     managed through group permissions. The module no longer runs lego
+     twice under certain conditions, and will correctly renew certificates if
+     their configuration is changed. Services which reload nginx and httpd after
+     certificate renewal are now properly configured too so you no longer have
+     to do this manually if you are using HTTPS enabled virtual hosts. A mechanism
+     for regenerating certs on demand has also been added and documented.
+    </para>
+   </listitem>
    <listitem>
      <para>
       Gollum received a major update to version 5.x and you may have to change
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
index 005eebd75c0..17e94bc12fb 100644
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@@ -251,4 +251,16 @@ chmod 400 /var/lib/secrets/certs.secret
    journalctl -fu acme-example.com.service</literal> and watching its log output.
   </para>
  </section>
+ <section xml:id="module-security-acme-regenerate">
+  <title>Regenerating certificates</title>
+
+  <para>
+   Should you need to regenerate a particular certificate in a hurry, such
+   as when a vulnerability is found in Let's Encrypt, there is now a convenient
+   mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
+   will remove all certificate files for the given domain, allowing you to then
+   <literal>systemctl start acme-example.com.service</literal> to generate fresh
+   ones.
+  </para>
+ </section>
 </chapter>
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index 223945907da..1c83ad3c9d8 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -218,8 +218,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
 
 
       def check_connection(node, domain, retries=3):
-          if retries == 0:
-              assert False
+          assert retries >= 0
 
           result = node.succeed(
               "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt"
@@ -233,8 +232,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
 
 
       def check_connection_key_bits(node, domain, bits, retries=3):
-          if retries == 0:
-              assert False
+          assert retries >= 0
 
           result = node.succeed(
               "openssl s_client -CAfile /tmp/ca.crt"