New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/acme: more 20.03 release notes updates #87911
Conversation
sync fork
- add a note about account-rate-limits - add a note about ec384-certificates as default
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some notes. Also, please rebase the commit on top of master, squash it to one commit, and update the PR title to comething matching CONTRIBUTING.md
.
have consequences if you embed your public key in apps. | ||
</para> | ||
<para> | ||
A separate Let's-Encyrpt-account is registered for each distinctive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A separate Let's-Encyrpt-account is registered for each distinctive | |
A separate Let's-Encrypt-account is registered for each distinctive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the rest of the changelog/documentation seems to be pretty Let's-Encrypt
unspecific - the module uses the ACME protocol, and Let's-Encrypt is the default provider. I'd propose to reword this to match this style.
<para> | ||
A separate Let's-Encyrpt-account is registered for each distinctive | ||
<literal>security.acme.email</literal>/<literal>security.acme.certs.<name>.email</literal>. | ||
If you have several certificates, this may trigger Let's-Encrypt account rate limits during the update |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACME here, too.
A separate Let's-Encyrpt-account is registered for each distinctive | ||
<literal>security.acme.email</literal>/<literal>security.acme.certs.<name>.email</literal>. | ||
If you have several certificates, this may trigger Let's-Encrypt account rate limits during the update | ||
(currently max. 10 accounts each 3h). To prevent this, you can use the same email-address for all your |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
email address
certificates. | ||
</para> | ||
</listitem> | ||
<listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. | |
<listitem><para>By default, now "ec384"-certificates are created instead of RSA certificates. |
</para> | ||
</listitem> | ||
<listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. | ||
You may want to change this by setting <literal>security.acme.certs.<name>.keyType</literal> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be a link referring to the option specified here.
</listitem> | ||
<listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. | ||
You may want to change this by setting <literal>security.acme.certs.<name>.keyType</literal> | ||
back to e.g. <literal>rsa4096</literal>, especially if you are using the certificate for a mailserver. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate a bit on this? Why do my mailservers need different certificates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For interoperatbility, mailservers need RSA certificates.
There are several mailservers out there, which do not yet support ec384-certificates. Now, if you use ec384-certificates, these mailservers cannot send mail to you and send bounce-messages back to the sender (even if encryption is optional in your mailserver). So, if you do this, you will lose mails, cause bounces and be unsubscribed from mailinglists.
So, for a mailserver, you must have an RSA certificate.
See also: http://postfix.1071664.n5.nabble.com/TLS-problem-no-shared-cipher-tp105970p105979.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks to the explanation! We should add a small part of it to the security.acme.certs.<name>.keyType
option, WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that on master (but not 20.03) the default key type is ec256
instead; see #83121 (comment).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We backported the change to use ec256
to 20.03 as well, as that's what lego
will default to in their next version: go-acme/lego#1091
cc @NixOS/acme for the content. |
Content is fine LGTM! |
@rkoe can you address the proposed changes? |
I marked this as stale due to inactivity. → More info |
Motivation for this change
Failures during 20.03 upgrade.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)