nixos/acme: don't use --reuse-key

Reusing the same private/public key on renewal has two issues: - some providers don't accept to sign the same public key again (Buypass Go SSL) - keeping the same private key forever partly defeats the purpose of renewing the certificate often Therefore, let's remove this option. People wanting to keep the same key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the previous behavior. Alternatively, we could put this as an option whose default value is true. (cherry picked from commit 632c8e1)
NixOS · May 31, 2021 · cbe0e66 · cbe0e66
1 parent 75f90ee
commit cbe0e66
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -795,6 +795,16 @@ environment.systemPackages = [
      the deprecated <option>services.radicale.config</option> is used.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     In the <option>security.acme</option> module, use of <literal>--reuse-key</literal>
+     parameter  for Lego has been removed. It was introduced for HKPK, but this security
+     feature is now deprecated. It is a better security practice to rotate key pairs
+     instead of always keeping the same. If you need to keep this parameter, you can add
+     it back using <literal>extraLegoRenewFlags</literal> as an option for the
+     appropriate certificate.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
@@ -152,7 +152,7 @@ let
     );
     renewOpts = escapeShellArgs (
       commonOpts
-      ++ [ "renew" "--reuse-key" ]
+      ++ [ "renew" ]
       ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );