From cbe0e663eced8d77ec8400d8e790845fcf3b0de5 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sun, 30 May 2021 13:12:32 +0200 Subject: [PATCH] nixos/acme: don't use --reuse-key Reusing the same private/public key on renewal has two issues: - some providers don't accept to sign the same public key again (Buypass Go SSL) - keeping the same private key forever partly defeats the purpose of renewing the certificate often Therefore, let's remove this option. People wanting to keep the same key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the previous behavior. Alternatively, we could put this as an option whose default value is true. (cherry picked from commit 632c8e1d54e299f656aa677f25552e1127f12849) --- nixos/doc/manual/release-notes/rl-2105.xml | 10 ++++++++++ nixos/modules/security/acme.nix | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index 410d2432786..8abaae02b8a 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -795,6 +795,16 @@ environment.systemPackages = [ the deprecated is used. + + + In the module, use of --reuse-key + parameter for Lego has been removed. It was introduced for HKPK, but this security + feature is now deprecated. It is a better security practice to rotate key pairs + instead of always keeping the same. If you need to keep this parameter, you can add + it back using extraLegoRenewFlags as an option for the + appropriate certificate. + + diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index eb3599b924d..c0250171109 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -152,7 +152,7 @@ let ); renewOpts = escapeShellArgs ( commonOpts - ++ [ "renew" "--reuse-key" ] + ++ [ "renew" ] ++ optionals data.ocspMustStaple [ "--must-staple" ] ++ data.extraLegoRenewFlags );