Nixos/acme: Action required on unstable or 20.03 pre-release

This only applies if you have used the nixos acme client on NixOS unstable or on the 20.03 channel older than the 9th april. In 20.03/unstable we switched from simp_le to lego.
In order to support multiple certificate with the same common name as we did in 19.09, we had to change the directory lego puts its generated certificates in acme: create certificates in subdirectory by Mic92 · Pull Request #84781 · NixOS/nixpkgs · GitHub. If you want to keep your old tls keys/certificates instead of regenerating, apply the following NixOS configuration:

  systemd.services = lib.mapAttrs' (cert: data:  {
    name = "acme-${cert}";
    value = {
      preStart = ''
        if [ -d /var/lib/acme/.lego/accounts -a -! -d /var/lib/acme/.lego/${cert}/accounts ]; then
          cp -a /var/lib/acme/.lego/accounts /var/lib/acme/.lego/${cert}/accounts
        fi
        if [ -d /var/lib/acme/.lego/certificates -a -! -d /var/lib/acme/.lego/${cert}/certificates ]; then
          mkdir -p /var/lib/acme/.lego/${cert}/certificates
          cp -a /var/lib/acme/.lego/certificates/${data.domain}.* /var/lib/acme/.lego/${cert}/certificates/
        fi
        chown -R ${data.user}:${data.group} /var/lib/acme/.lego/${cert}/
      '';
    };
  }) config.security.acme.certs;

You can remove this code again when you have switched to this configuration and the data migration has been performed.

6 Likes