Nixpkgs: nixos/acme: force-renewing certificates is unreasonably difficult
Right now, the only way I've found that works is to set validMinDays = 999; to force the renewal. This wouldn't matter so much (it's usually only necessary if you e.g. tweak certificate options like OCSP Must-Staple) if not for the fact that Let's Encrypt screwed up and now a bunch of people have to do it by tomorrow, which they won't. Oops.
I'm filing this as an issue rather than a PR in part because I'm not really sure what the a good interface would be here; the best thing I can imagine is something like nix run -f '<nixpkgs/nixos>' something -c force-renew-certs, which seems weird. Does anyone know of prior precedent for interfaces here?
cc @aanderse @arianvp @m1cr0man @yegortimoshenko
If you just want to know how to force-renew your certificates this time
Add security.acme.validMinDays = 999; to your configuration and run a nixos-rebuild switch. This may or may not automatically renew the certificate depending on your nixpkgs version; to make sure, do systemctl start 'acme-*.service'. Make sure to remove the validMinDays option and run nixos-rebuild switch again afterwards, or you'll hammer the Let's Encrypt servers for a renewal every day!
emilazy
All 7 comments
(maybe systemctl start acme-force-renew? But that feels like a hack.)
emilazy
on 3 Mar 2020
Interface/implementation sketch, after discussing with @yegortimoshenko: acme-force-renew-${domain}.service omits the validMinDays option handling so that lego always renews the certificate. We could then also hook things up so that it automatically runs when options like ocspMustStaple are changed.
This would require some reorganization in the acme module to avoid duplicating the service logic, so it would probably be a good idea to clean it up at the same time. I'll try and get around to doing it if nobody else does, but don't want to block anyone who feels like taking it on themselves.
emilazy
on 3 Mar 2020
Would also be a good idea to check for revocation with OCSP on the timer and do a force-renewal if so; this would mitigate the impact of future mass revocations in that the certificate would only be invalid for a day or so.
emilazy
on 4 Mar 2020
There's another issue related to this: if you add an extraDomain (e.g., you just added a CNAME for the server), the acme service doesn't seem to notice the change, and it won't automatically renew as it should.
dhess
on 13 Mar 2020
Changing the ACME server endpoint is also a scenario leading to a forced reload due to acme not noticing the change, too.
reanimus
on 3 May 2020
I marked this as stale due to inactivity. → More info
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 30 Oct 2020
This issue is effectively solved now. With #91121, you can run systemctl clean acme-$domain.service to clear all certificates, and the next start of the service will acquire new ones. It is also documented in the manual too: https://nixos.org/manual/nixos/stable/index.html#module-security-acme-regenerate
m1cr0man
on 30 Oct 2020
Related issues
yawnt
路
3Comments
matthiasbeyer
路
3Comments
edolstra
路
3Comments
tomberek
路
3Comments
domenkozar
路
3Comments
Most helpful comment
There's another issue related to this: if you add an
extraDomain(e.g., you just added a CNAME for the server), theacmeservice doesn't seem to notice the change, and it won't automatically renew as it should.