nixos/acme: don't use --reuse-key

Reusing the same private/public key on renewal has two issues: - some providers don't accept to sign the same public key again (Buypass Go SSL) - keeping the same private key forever partly defeats the purpose of renewing the certificate often Therefore, let's remove this option. People wanting to keep the same key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the previous behavior. Alternatively, we could put this as an option whose default value is true.
author: Vincent Bernat <vincent@bernat.ch> 2021-05-30 13:12:32 +0200
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2021-06-01 00:43:45 +0200
commit: 632c8e1d54e299f656aa677f25552e1127f12849 (patch)
tree: 01c62b715b94760ea2ef9b8f3199bfcaa32237b2 /nixos/modules/security/acme.nix
parent: 774fe1878b045411e6bdd0dd90d8581e82b10993 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index eb3599b924d7..c0250171109f 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -152,7 +152,7 @@ let
     );
     renewOpts = escapeShellArgs (
       commonOpts
-      ++ [ "renew" "--reuse-key" ]
+      ++ [ "renew" ]
       ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );
author	Vincent Bernat <vincent@bernat.ch>	2021-05-30 13:12:32 +0200
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2021-06-01 00:43:45 +0200
commit	632c8e1d54e299f656aa677f25552e1127f12849 (patch)
tree	01c62b715b94760ea2ef9b8f3199bfcaa32237b2 /nixos/modules/security/acme.nix
parent	774fe1878b045411e6bdd0dd90d8581e82b10993 (diff)