Security.acme defaults to minica instead of lego with Cloudflare DNS on NixOS 25.11

JuggerbAUT · December 14, 2025, 12:09am

Hello,

I recently upgraded from NixOS 24.11 to 25.11 (system.stateVersion = “25.11”) and am now unable to get a Let’s Encrypt certificate via the Cloudflare DNS provider. The security.acme service persistently defaults to using minica to
generate a self-signed certificate, ignoring the dnsProvider configuration.

This leads to “Invalid SSL certificate” errors when Cloudflare’s SSL/TLS mode is set to “Full (Strict)”.

Relevant configuration.nix:

1 { config, pkgs, ... }: {
2   system.stateVersion = "25.11";
3 
4   # Nginx
5   services.nginx.virtualHosts."example.cc" = {
6     forceSSL = true;
7     useACMEHost = "example.cc";
8     # ...
9   };

10
11   # ACME
12   security.acme = {
13     acceptTerms = true;
14     defaults.email = “example@gmail.com”;
15
16     certs.“example.cc” = {
17       domain = “example.cc”;
18       dnsProvider = “cloudflare”;
19       credentialsFile = “/etc/nixos/secrets/cloudflare-acme”;
20       group = “nginx”;
21     };
22   };
23 }

journalctl -u acme-example.cc.service logs:
The logs consistently show minica being executed, never lego:

1 Starting Ensure certificate for example.cc…
2 + minica --ca-key ca/key.pem --ca-cert ca/cert.pem --domains example.cc
3 …4 Finished Ensure certificate for example.cc.

What has been tried:

Confirmed credentialsFile path is correct.
Confirmed the secret file at /etc/nixos/secrets/cloudflare-acme has the correct format (CLOUDFLARE_DNS_API_TOKEN=“…”).
Confirmed the secret file has secure permissions (640, owned by root:users).
The Cloudflare API Token has Zone:DNS:Edit permissions for the correct zone.
This exact setup was working on NixOS 24.11.

It seems the security.acme module on 25.11 is not respecting the dnsProvider attribute. Is this a known bug, or is there a new, required option to force the lego backend?

Thank you

adamcstephens · December 14, 2025, 12:39am

The minica certificate is a placeholder certificate which is replaced by security.acme with the valid certificate. It’s likely your certificate request is failing. Check your logs, and especially acme-order-renew-<cert>.service

dtannock · December 14, 2025, 2:04am

system.stateVersion = “25.11”

Separately, just checking you didn’t change that when you upgraded? You should never change stateVersion (you’ll find a lot of posts here that go into this).

waffle8946 · December 14, 2025, 3:08am

To be more specific: stateVersion has nothing to do with your NixOS version, so never touch it. You only touch your flake inputs or channels or whatever you use to fetch nixpkgs.

Not related to your issue though. The certToConfig function
nixpkgs/nixos/modules/security/acme/default.nix at 09eb77e94fa25202af8f3e81ddc7353d9970ac1b · NixOS/nixpkgs · GitHub generates self-signed certs using minica then performs ordering/renewal via lego. There was a huge refactor in https://github.com/NixOS/nixpkgs/pull/422076 that removed the preliminarySelfsigned option which is probably what changed from before.

But you’re also looking at the wrong service - acme-${cert}.service is the prelim self-signed cert service, while acme-order-renew-${cert}.service is what calls lego.

TLATER · December 14, 2025, 3:40am

We really should have gone with hashing that string. Well, at least people aren’t setting it to unstable anymore.

JuggerbAUT · December 14, 2025, 4:28pm

i set it up on a completely new pc - and i didn’t check which version was stated in the original file…
set it back to 24.11. Thx 4 clarifying.

JuggerbAUT · December 14, 2025, 4:29pm

This helped a lot.
Thx

waffle8946 · December 14, 2025, 4:58pm

On a new PC you can set it to whatever. Actually you probably should’ve just left it at 25.11 since you already set it. If you say you “upgraded” NixOS, we’re going to assume you’re referring to the same machine not a new one.

JuggerbAUT · December 14, 2025, 5:03pm

Yeah my bad for misleading wording by not specifying that i switched to a new pc.