From 76401c9a3b9525032958f10843090a6737abc91e Mon Sep 17 00:00:00 2001 From: Lucas Savva Date: Fri, 23 Oct 2020 18:52:42 +0100 Subject: [PATCH] nixos/acme: lego run whenen account is missing --- nixos/modules/security/acme.nix | 3 ++- nixos/modules/security/acme.xml | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 5732620f2908..3734a06c3fa4 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -253,7 +253,8 @@ let echo '${domainHash}' > domainhash.txt # Check if we can renew - if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' ]; then + # Certificates and account credentials must exist + if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a "$(ls -1 accounts)" ]; then # When domains are updated, there's no need to do a full # Lego run, but it's likely renew won't work if days is too low. diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 17e94bc12fb2..517162d1a7bf 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -263,4 +263,28 @@ chmod 400 /var/lib/secrets/certs.secret ones. +
+ Fixing JWS Verification error + + + It is possible that your account credentials file may become corrupt and need + to be regnerated. In this scenario lego will produce the error JWS verification error. + The solution is to simply delete the associated accounts file and + re-run the affected service(s). + + + +# Find the accounts folder for the certificate +systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*' +export accountdir="$(!!)" +# Move this folder to some place else +mv /var/lib/acme/.lego/$accountdir{,.bak} +# Recreate the folder using systemd-tmpfiles +systemd-tmpfiles --create +# Get a new account and reissue certificates +# Note: Do this for all certs that share the same account email address +systemctl start acme-example.com.service + + +