Reuse Let's Encrypt/ACME certificate for multiple services with lego

On NixOS unstable, I create a certificate with nginx

services.nginx.virtualHosts."".enableACME = true;

Now I’d like to use the same certificate for example in murmur, by

services.murmur = {
  enable = true;
  sslKey = "${"".directory}/key.pem";
  sslCert = "${"".directory}/fullchain.pem";

But this will not work, because the permission of the folder /var/lib/acme/ is 600.

I guess I could use the allowKeysForGroup = examplecomacme option. But how do I add the user that runs the service to a the group examplecomacme?

So to summarize: How do I use an ACME managed certificate in multiple services that run under different users with lego?

There are multiple ways. You can either use users.groups.<name?>.members or users.users.<name?>.extraGroups. In the first one, you specify the groupname and in the second one the username.

Besides that, allowKeysForGroup = true and the group = "groupname" setting are the way to go.

Sorry, that’s what I meant.

Is this approach the way to go? Or do people create multiple certificates for one domain? Note, that this also run into permission trouble! Might be a bug in the acme module?

edit: Also using nginx’s enableACME = true; is very usefull, because it takes care of everything. But there is no way to specify allowKeysForGroup for that, or is there?


Okay, thx. So something fishy is going on.

I’ve solved my issue by a config like that (at least for now as a workaround, I’m absolutely not sure, if this is a good way):

users.groups.acmeexample.members = [ "service1" "service2"];

security.acme.certs."" = {
  group = "acmeexample";
  allowKeysForGroup = true;
  postRun = "systemctl reload-or-restart service1; systemctl reload-or-restart service2";

service.nginx.virtualHosts."".enableACME = true;

Right, yes, on 20.03 there are some issues.

I haven’t upgraded any of my systems that do ACME to the new release yet.
The API hasn’t changed though.

Your approach looks good to me. You probably don’t need to set user = nginx, if you’re using enableACME. And I would suggest reloading nginx, instead of restarting it.

Thanks for the tip! Wasn’t aware of the command. I’ve changed my post to systemctl reload-or-restart.

Is it actually needed to do that for nginx as well, when enableACME = true? With my noob eyes scannig the module I believe it is taken care of.