diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
index d8de26109bbd..f802faee9749 100644
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@@ -6,9 +6,9 @@
SSL/TLS Certificates with ACME
NixOS supports automatic domain validation & certificate retrieval and
- renewal using the ACME protocol. This is currently only implemented by and
- for Let's Encrypt. The alternative ACME client lego is
- used under the hood.
+ renewal using the ACME protocol. Any provider can be used, but by default
+ NixOS uses Let's Encrypt. The alternative ACME client lego
+ is used under the hood.
Automatic cert validation and configuration for Apache and Nginx virtual
@@ -36,6 +36,13 @@
and cannot be used to administer the certificates in any way.
+
+ Alternatively, you can use a different ACME server by changing the
+ option
+ to a provider of your choosing, or just change the server for one cert with
+ .
+
+
You will need an HTTP server or DNS server for verification. For HTTP,
the server must have a webroot defined that can serve
@@ -60,7 +67,7 @@
= true;
= "admin+acme@example.com";
services.nginx = {
- enable = true;
+ enable = true;
virtualHosts = {
"foo.example.com" = {
forceSSL = true;
@@ -109,7 +116,7 @@ services.nginx = {
= true;
= "admin+acme@example.com";
services.nginx = {
- enable = true;
+ enable = true;
virtualHosts = {
"acmechallenge.example.com" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
@@ -179,7 +186,7 @@ services.httpd = {
This is useful if you want to generate a wildcard certificate, since
- Let's Encrypt will only hand out wildcard certs over DNS validation.
+ ACME servers will only hand out wildcard certs over DNS validation.
There a number of supported DNS providers and servers you can utilise,
see the lego docs
for provider/server specific configuration values. For the sake of these
@@ -190,7 +197,7 @@ services.httpd = {
services.bind = {
enable = true;
extraConfig = ''
- include "/var/secrets/dnskeys.conf";
+ include "/var/lib/secrets/dnskeys.conf";
'';
zones = [
rec {
@@ -208,7 +215,7 @@ services.bind = {
."example.com" = {
domain = "*.example.com";
dnsProvider = "rfc2136";
- credentialsFile = "/var/secrets/certs.secret";
+ credentialsFile = "/var/lib/secrets/certs.secret";
# We don't need to wait for propagation since this is a local DNS server
dnsPropagationCheck = false;
};
@@ -221,27 +228,27 @@ services.bind = {
-mkdir -p /var/secrets
-tsig-keygen rfc2136key.example.com > /var/secrets/dnskeys.conf
-chown named:root /var/secrets/dnskeys.conf
-chmod 400 /var/secrets/dnskeys.conf
+mkdir -p /var/lib/secrets
+tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf
+chown named:root /var/lib/secrets/dnskeys.conf
+chmod 400 /var/lib/secrets/dnskeys.conf
# Copy the secret value from the dnskeys.conf, and put it in
# RFC2136_TSIG_SECRET below
-cat > /var/secrets/certs.secret << EOF
+cat > /var/lib/secrets/certs.secret << EOF
RFC2136_NAMESERVER='127.0.0.1:53'
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
RFC2136_TSIG_KEY='rfc2136key.example.com'
RFC2136_TSIG_SECRET='your secret key'
EOF
-chmod 400 /var/secrets/certs.secret
+chmod 400 /var/lib/secrets/certs.secret
Now you're all set to generate certs! You should monitor the first invokation
by running systemctl start acme-example.com.service &
- journalctl -fu acme-example.com.service and watching for errors.
+ journalctl -fu acme-example.com.service and watching its log output.