Home Explore Blog Models CI



nixpkgs
5th chunk of `nixos/modules/security/acme/default.md`
39fbd17a85f6c4f32c59508986f774a0b0a8c72f928a6b580000000100000da6
`LoadCredential` feature to resolve this elegantly.
Below is an example configuration for OpenSMTPD, but this pattern
can be applied to any service.

```nix
{
  # Configure ACME however you like (DNS or HTTP validation), adding
  # the following configuration for the relevant certificate.
  # Note: You cannot use `systemctl reload` here as that would mean
  # the LoadCredential configuration below would be skipped and
  # the service would continue to use old certificates.
  security.acme.certs."mail.example.com".postRun = ''
    systemctl restart opensmtpd
  '';

  # Now you must augment OpenSMTPD's systemd service to load
  # the certificate files.
  systemd.services.opensmtpd.requires = [ "acme-mail.example.com.service" ];
  systemd.services.opensmtpd.serviceConfig.LoadCredential =
    let
      certDir = config.security.acme.certs."mail.example.com".directory;
    in
    [
      "cert.pem:${certDir}/cert.pem"
      "key.pem:${certDir}/key.pem"
    ];

  # Finally, configure OpenSMTPD to use these certs.
  services.opensmtpd =
    let
      credsDir = "/run/credentials/opensmtpd.service";
    in
    {
      enable = true;
      setSendmail = false;
      serverConfiguration = ''
        pki mail.example.com cert "${credsDir}/cert.pem"
        pki mail.example.com key "${credsDir}/key.pem"
        listen on localhost tls pki mail.example.com
        action act1 relay host smtp://127.0.0.1:10027
        match for local action act1
      '';
    };
}
```

## Regenerating certificates {#module-security-acme-regenerate}

Should you need to regenerate a particular certificate in a hurry, such
as when a vulnerability is found in Let's Encrypt, there is now a convenient
mechanism for doing so. Running
`systemctl clean --what=state acme-example.com.service`
will remove all certificate files and the account data for the given domain,
allowing you to then `systemctl start acme-example.com.service`
to generate fresh ones.

## Fixing JWS Verification error {#module-security-acme-fix-jws}

It is possible that your account credentials file may become corrupt and need
to be regenerated. In this scenario lego will produce the error `JWS verification error`.
The solution is to simply delete the associated accounts file and
re-run the affected service(s).

```shell
# Find the accounts folder for the certificate
systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*'
export accountdir="$(!!)"
# Move this folder to some place else
mv /var/lib/acme/.lego/$accountdir{,.bak}
# Recreate the folder using systemd-tmpfiles
systemd-tmpfiles --create
# Get a new account and reissue certificates
# Note: Do this for all certs that share the same account email address
systemctl start acme-example.com.service
```

## Ensuring dependencies for services that need to be reloaded when a certificate challenges {#module-security-acme-reload-dependencies}

Services that depend on ACME certificates and need to be reloaded can use one of two approaches to reload upon successfull certificate acquisition or renewal:

1. **Using the `security.acme.certs.<name>.reloadServices` option**: This will cause `systemctl try-reload-or-restart` to be run for the listed services.

2. **Using a separate reload unit**: if you need perform more complex actions you can implement a separate reload unit but need to ensure that it lists the `acme-renew-<name>.service` unit both as `wantedBy` AND `after`. See the nginx module implementation with its `nginx-config-reload` service.
Title: NixOS ACME: Root-Owned Certs (OpenSMTPD Example), Certificate Regeneration, JWS Error Fix, and Service Reload Strategies
Summary
This chunk concludes the explanation of how to configure services requiring root-owned certificates with ACME, using OpenSMTPD as an example. It demonstrates how to use `systemd`'s `LoadCredential` to load ACME-managed certificates and then configure OpenSMTPD to use these credentials. It also covers how to manually regenerate a specific ACME certificate using `systemctl clean --what=state` and `systemctl start`. Additionally, it provides steps to fix a `JWS verification error` by identifying, moving, and recreating the ACME account directory. Finally, it outlines two methods for ensuring services reload or restart upon successful certificate acquisition or renewal: using the `security.acme.certs.<name>.reloadServices` option or implementing a separate, custom reload unit that depends on the `acme-renew-<name>.service`.