How to use security.acme.certs and useACMEHost correctly?

winston0410 · January 19, 2022, 8:30pm

I want to use one domain and its subdomain across multiple machines, therefore I want to use useACMEHost instead of simply using enableACME for nginx.virtualHosts.

This is my config:

            ({ pkgs, config, lib, ... }: {
              security.acme.certs.${secret.hostname.acme} = {
                webroot = "/var/lib/acme/acme-challenge/";
                email = "hugosum.dev@protonmail.com";
                extraDomainNames = [ secret.hostname.pwd ];
              };

              services.nginx.virtualHosts.${secret.hostname.pwd} = {
                forceSSL = true;
                # enableACME = true;
                useACMEHost = secret.hostname.acme;
                locations."/" = {
                  proxyPass = "http://localhost:30625";
                  proxyWebsockets = true;
                };
              };
            })

And I am getting the following error:

warning: the following units failed: acme-acme.<domain>.service

× acme-acme.<domain>.service - Renew ACME certificate for acme.<domain>
     Loaded: loaded (/etc/systemd/system/acme-acme.<domain>.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2022-01-19 20:07:04 GMT; 128ms ago
TriggeredBy: ● acme-acme.<domain>.timer
    Process: 106067 ExecStart=/nix/store/1i9shd53jxbbhb5arbygp0fz2cnm8sw9-unit-script-acme-acme.<domain>-start/bin/acme-acme.<domain>-start (code=exited, status=1/FAILURE)
   Main PID: 106067 (code=exited, status=1/FAILURE)
         IP: 23.1K in, 9.8K out
        CPU: 311ms

Jan 19 20:06:58 nixos acme-acme.<domain>-start[106073]: 2022/01/19 20:06:58 [INFO] [pwd.<domain>] acme: use http-01 solver
Jan 19 20:06:58 nixos acme-acme.<domain>-start[106073]: 2022/01/19 20:06:58 [INFO] [pwd.<domain>] acme: Trying to solve HTTP-01
Jan 19 20:07:03 nixos acme-acme.<domain>-start[106073]: 2022/01/19 20:07:03 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/69925534840
Jan 19 20:07:03 nixos acme-acme.<domain>-start[106073]: 2022/01/19 20:07:03 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/69927880000
Jan 19 20:07:04 nixos acme-acme.<domain>-start[106073]: 2022/01/19 20:07:04 error: one or more domains had a problem:
Jan 19 20:07:04 nixos acme-acme.<domain>-start[106073]: [pwd.<domain>] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://pwd.<domain>/.well-known/acme-challenge/SFAa2SVK4S1RwAERt2J2zSXsQ9oXSqJIFh1A6kadMUI: Connection refused
Jan 19 20:07:04 nixos systemd[1]: acme-acme.<domain>.service: Main process exited, code=exited, status=1/FAILURE
Jan 19 20:07:04 nixos systemd[1]: acme-acme.<domain>.service: Failed with result 'exit-code'.
Jan 19 20:07:04 nixos systemd[1]: Failed to start Renew ACME certificate for acme.<domain>.
Jan 19 20:07:04 nixos systemd[1]: acme-acme.<domain>.service: Consumed 311ms CPU time, received 23.0K IP traffic, sent 9.8K IP traffic.

Right now, secret.hostname.acme will be interpolated to acme.<domain>, and secret.hostname.pwd will be interpolated to pwd.<domain>. Will that be the source of the issue? Should I just use <domain> to generate the cert?