Reuse Let's Encrypt/ACME certificate for multiple services with lego

alllooc · April 15, 2020, 8:05pm

On NixOS unstable, I create a certificate with nginx

services.nginx.virtualHosts."example.com".enableACME = true;

Now I’d like to use the same certificate for example in murmur, by

services.murmur = {
  enable = true;
  sslKey = "${config.security.acme.certs."example.com".directory}/key.pem";
  sslCert = "${config.security.acme.certs."example.com".directory}/fullchain.pem";
}

But this will not work, because the permission of the folder /var/lib/acme/example.com is 600.

I guess I could use the allowKeysForGroup = examplecomacme option. But how do I add the user that runs the service to a the group examplecomacme?

So to summarize: How do I use an ACME managed certificate in multiple services that run under different users with lego?

ajs124 · April 15, 2020, 8:26pm

There are multiple ways. You can either use users.groups.<name?>.members or users.users.<name?>.extraGroups. In the first one, you specify the groupname and in the second one the username.

Besides that, allowKeysForGroup = true and the group = "groupname" setting are the way to go.

alllooc · April 15, 2020, 8:39pm

Sorry, that’s what I meant.

Is this approach the way to go? Or do people create multiple certificates for one domain? Note, that this also run into permission trouble! Might be a bug in the acme module?

edit: Also using nginx’s enableACME = true; is very usefull, because it takes care of everything. But there is no way to specify allowKeysForGroup for that, or is there?

arianvp · April 15, 2020, 8:45pm

See https://github.com/NixOS/nixpkgs/issues/84633

alllooc · April 15, 2020, 8:55pm

Okay, thx. So something fishy is going on.

I’ve solved my issue by a config like that (at least for now as a workaround, I’m absolutely not sure, if this is a good way):

users.groups.acmeexample.members = [ "service1" "service2"];

security.acme.certs."example.com" = {
  group = "acmeexample";
  allowKeysForGroup = true;
  postRun = "systemctl reload-or-restart service1; systemctl reload-or-restart service2";
};

service.nginx.virtualHosts."example.com".enableACME = true;

ajs124 · April 15, 2020, 9:00pm

Right, yes, on 20.03 there are some issues.

I haven’t upgraded any of my systems that do ACME to the new release yet.
The API hasn’t changed though.

Your approach looks good to me. You probably don’t need to set user = nginx, if you’re using enableACME. And I would suggest reloading nginx, instead of restarting it.

alllooc · April 15, 2020, 9:12pm

Thanks for the tip! Wasn’t aware of the command. I’ve changed my post to systemctl reload-or-restart.

Is it actually needed to do that for nginx as well, when enableACME = true? With my noob eyes scannig the module I believe it is taken care of.