How to manually trigger ACME renewal with `security.acme.*` options?

malloc · January 27, 2026, 9:50pm

I have enabled security.acme.* with these options:

  security = {
    acme = {
      acceptTerms = true;
      useRoot = false;
      maxConcurrentRenewals = 5;
      defaults = {
        # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
        server = "https://acme-v02.api.letsencrypt.org/directory";
        credentialFiles = {
          "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."<omit>".path;
        };
        dnsPropagationCheck = true;
        dnsProvider = "cloudflare";
        email = "<omit>";
        enableDebugLogs = true;
        group = "acme";
        keyType = "ec256";
        ocspMustStaple = false;
        renewInterval = "daily";
        validMinDays = 30;
      };
      certs = {
        "sub.example.com" = {
          extraLegoFlags = [ ];
          extraLegoRunFlags = [ ];
          extraLegoRenewFlags = [ ];
          extraDomainNames = [
            "sub1.example.com"
            "sub2.example.com"
          ];
          group = "example";
          postRun = ''

          '';
          reloadServices = [ "example.service" ];
        };
      };
    };
  };

I initially tested with LE staging environment, fixed issues with DNS provider. I thought I fixed it and switched to the LE production environment, but issues persisted.

I think it’s fixed now but since it already attempted to renew on production LE instance. The trigger doesn’t appear to start again until the next security.acme.defaults.renewalInternal.

How do I manually trigger this renewal? Does a manual renewal event impact the automated renewal events?

malloc · January 27, 2026, 9:52pm

Talking with folks on #users:nixos.org, it can be manually triggered using systemd:

systemctl start acme-order-renew-<cert-name>.service

Does not appear to be any impact to automated flow.