Merge pull request #125134 from NixOS/backport-124950-to-release-21.05

[Backport release-21.05] nixos/acme: don't use --reuse-key
3 years ago · 3a2e0c36e7
parent 75f90eedcf cbe0e663ec
commit 3a2e0c36e7
2 changed files with 11 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@ -795,6 +795,16 @@ environment.systemPackages = [
     the deprecated <option>services.radicale.config</option> is used.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     In the <option>security.acme</option> module, use of <literal>--reuse-key</literal>
+     parameter  for Lego has been removed. It was introduced for HKPK, but this security
+     feature is now deprecated. It is a better security practice to rotate key pairs
+     instead of always keeping the same. If you need to keep this parameter, you can add
+     it back using <literal>extraLegoRenewFlags</literal> as an option for the
+     appropriate certificate.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -152,7 +152,7 @@ let
    );
    renewOpts = escapeShellArgs (
      commonOpts
-      ++ [ "renew" "--reuse-key" ]
+      ++ [ "renew" ]
      ++ optionals data.ocspMustStaple [ "--must-staple" ]
      ++ data.extraLegoRenewFlags
    );