diff options
Diffstat (limited to 'nixos/modules/security/acme.xml')
-rw-r--r-- | nixos/modules/security/acme.xml | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index f24811291728..b34cbdafb2d3 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -162,6 +162,9 @@ services.httpd = { <xref linkend="opt-security.acme.certs"/>."foo.example.com" = { <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; + # Ensure that the web server you use can read the generated certs + # Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose. + <link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx"; # Since we have a wildcard vhost to handle port 80, # we can generate certs for anything! # Just make sure your DNS resolves them. @@ -257,10 +260,11 @@ chmod 400 /var/lib/secrets/certs.secret <para> Should you need to regenerate a particular certificate in a hurry, such as when a vulnerability is found in Let's Encrypt, there is now a convenient - mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal> - will remove all certificate files for the given domain, allowing you to then - <literal>systemctl start acme-example.com.service</literal> to generate fresh - ones. + mechanism for doing so. Running + <literal>systemctl clean --what=state acme-example.com.service</literal> + will remove all certificate files and the account data for the given domain, + allowing you to then <literal>systemctl start acme-example.com.service</literal> + to generate fresh ones. </para> </section> <section xml:id="module-security-acme-fix-jws"> |