Merge pull request #77578 from m1cr0man/master

Replace simp-le with lego and support DNS-01 challenge
2025-07-13 13:40:28 +03:00 · 2020-02-10 11:47:30 +01:00 · 2020-02-10 11:47:30 +01:00 · 4e0fea3fe2
commit 4e0fea3fe2
parent b2abf36467 75fa8027eb
6 changed files with 256 additions and 61 deletions
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@ -660,6 +660,21 @@ auth required pam_succeed_if.so uid >= 1000 quiet
       <literal>PRETTY_NAME</literal> in <literal>/etc/os-release</literal>
       now uses the short rather than full version string.
     </para>
+   </listitem>
+   <listitem>
+    <para>
+     The ACME module has switched from simp-le to <link xlink:href="https://github.com/go-acme/lego">lego</link>
+     which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added:
+     <link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link>,
+     <link linkend="opt-security.acme.certs">security.acme.certs.&lt;name&gt;.dnsProvider</link>,
+     <link linkend="opt-security.acme.certs">security.acme.certs.&lt;name&gt;.credentialsFile</link>,
+     <link linkend="opt-security.acme.certs">security.acme.certs.&lt;name&gt;.dnsPropagationCheck</link>.
+     As well as this, the options <literal>security.acme.acceptTerms</literal> and either
+     <literal>security.acme.email</literal> or <literal>security.acme.certs.&lt;name&gt;.email</literal>
+     must be set in order to use the ACME module.
+     Certificates will be regenerated anew on the next renewal date. The credentials for simp-le are
+     preserved and thus it is possible to roll back to previous versions without breaking certificate
+     generation.
   </listitem>
    <listitem>
    <para>