nixos/acme: more 20.03 release notes updates #87911
Conversation
sync fork
- add a note about account-rate-limits - add a note about ec384-certificates as default
| have consequences if you embed your public key in apps. | ||
| </para> | ||
| <para> | ||
| A separate Let's-Encyrpt-account is registered for each distinctive |
There was a problem hiding this comment.
| A separate Let's-Encyrpt-account is registered for each distinctive | |
| A separate Let's-Encrypt-account is registered for each distinctive |
There was a problem hiding this comment.
Also, the rest of the changelog/documentation seems to be pretty Let's-Encrypt unspecific - the module uses the ACME protocol, and Let's-Encrypt is the default provider. I'd propose to reword this to match this style.
| <para> | ||
| A separate Let's-Encyrpt-account is registered for each distinctive | ||
| <literal>security.acme.email</literal>/<literal>security.acme.certs.<name>.email</literal>. | ||
| If you have several certificates, this may trigger Let's-Encrypt account rate limits during the update |
| A separate Let's-Encyrpt-account is registered for each distinctive | ||
| <literal>security.acme.email</literal>/<literal>security.acme.certs.<name>.email</literal>. | ||
| If you have several certificates, this may trigger Let's-Encrypt account rate limits during the update | ||
| (currently max. 10 accounts each 3h). To prevent this, you can use the same email-address for all your |
| certificates. | ||
| </para> | ||
| </listitem> | ||
| <listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. |
There was a problem hiding this comment.
| <listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. | |
| <listitem><para>By default, now "ec384"-certificates are created instead of RSA certificates. |
| </para> | ||
| </listitem> | ||
| <listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. | ||
| You may want to change this by setting <literal>security.acme.certs.<name>.keyType</literal> |
There was a problem hiding this comment.
This should be a link referring to the option specified here.
| </listitem> | ||
| <listitem><para>By default, now "ec384"-certificates are created instead of rsa-certificates. | ||
| You may want to change this by setting <literal>security.acme.certs.<name>.keyType</literal> | ||
| back to e.g. <literal>rsa4096</literal>, especially if you are using the certificate for a mailserver. |
There was a problem hiding this comment.
Can you elaborate a bit on this? Why do my mailservers need different certificates?
There was a problem hiding this comment.
For interoperatbility, mailservers need RSA certificates.
There are several mailservers out there, which do not yet support ec384-certificates. Now, if you use ec384-certificates, these mailservers cannot send mail to you and send bounce-messages back to the sender (even if encryption is optional in your mailserver). So, if you do this, you will lose mails, cause bounces and be unsubscribed from mailinglists.
So, for a mailserver, you must have an RSA certificate.
See also: http://postfix.1071664.n5.nabble.com/TLS-problem-no-shared-cipher-tp105970p105979.html
There was a problem hiding this comment.
Thanks to the explanation! We should add a small part of it to the security.acme.certs.<name>.keyType option, WDYT?
There was a problem hiding this comment.
Note that on master (but not 20.03) the default key type is ec256 instead; see #83121 (comment).
There was a problem hiding this comment.
We backported the change to use ec256 to 20.03 as well, as that's what lego will default to in their next version: go-acme/lego#1091
|
cc @NixOS/acme for the content. |
flokli
added
the
9.needs: port to stable
flokli
changed the title
|
Content is fine LGTM! |
|
@rkoe can you address the proposed changes? |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
Motivation for this change
Failures during 20.03 upgrade.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)