diff options
author | Vincent Bernat <vincent@bernat.ch> | 2021-05-30 13:12:32 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-06-01 00:43:45 +0200 |
commit | 632c8e1d54e299f656aa677f25552e1127f12849 (patch) | |
tree | 01c62b715b94760ea2ef9b8f3199bfcaa32237b2 /nixos/modules/security/acme.nix | |
parent | 774fe1878b045411e6bdd0dd90d8581e82b10993 (diff) |
nixos/acme: don't use --reuse-key
Reusing the same private/public key on renewal has two issues:
- some providers don't accept to sign the same public key
again (Buypass Go SSL)
- keeping the same private key forever partly defeats the purpose of
renewing the certificate often
Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index eb3599b924d7..c0250171109f 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -152,7 +152,7 @@ let ); renewOpts = escapeShellArgs ( commonOpts - ++ [ "renew" "--reuse-key" ] + ++ [ "renew" ] ++ optionals data.ocspMustStaple [ "--must-staple" ] ++ data.extraLegoRenewFlags ); |