ACME „updates” my Let's encrypt certificate daily making electron apps unable to connect to my server

[mawis]

Describe the bug

As we know, the DST Root CA X3 that was used to cross sign Let's encrypt certificates has expired on 2021-09-30. While this didn't cause problems for normal browsers, it caused problems with Electron apps. (https://community.letsencrypt.org/t/issues-with-electron-and-expired-root/160991)

While this problem is said to be fixed with updated versions of Electron, I still have to support Electron apps packaged with previous versions of Electron. As described in comment 4 to the issue linked above, I can fix that by removing the last certificate in the chains generated in /var/lib/acme/<domain> manually. But the problem on NixOS seems to be, that the file full.pem gets regenerated daily causing Electron clients to fail connecting to my server again.

So I think the correct solution to get a working certificate chain would be to request a different certificate chain which can be done with the lego option --preferred-chain. I can set this option to individual domains using the option security.acme.certs.<name>.extraLegoRunFlags, but it seems to me, that there is no such option working globally on all domains.

I think an option should be added to pass extraLegoRunFlags to all domains. It might even be helpful to make a special configuration option to set the preferred-chain.

Steps To Reproduce

1. Configure a domain on nginx with enableACME set to true
2. Check the generated certificates it will have the cross-signed ISRG Root X1 as the last certificate
3. Access the domain with an electron client, it will fail
4. remove the cross-signed ISRG Root X1 at the end of the certificate chain an reload nginx
5. Electron client is able to access the web domain

Expected behavior

On the one hand I'd expect lego not updating my chain, when the certificate is not renewed. On the other hand I'd expect to be able to configure the alternate chain without the need to doing this domain by domain.

Notify maintainers

@m1cr0man

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.70, NixOS, 21.05.3509.7daf35532d2 (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.15`
 - channels(root): `"nixos-21.05.3509.7daf35532d2, old-20.09.4404.a13824fe5e3, unstable-21.11pre321003.14aef06d9b3"`
 - channels(matthias): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

[m1cr0man]

cc @NixOS/acme

This is functionally a duplicate of #138478 in that adding some higher level "default" options for each of the common option in certs would resolve your request :) I am planning to do this work quite soon, and I will be sure to notify the relevant tickets on the PR.

Wrt what you're attempting to solve for here, full.pem should only be regenerated if the fullchain.pem is edited, which in turn should only happen if the certs itself are changed (which should only be on their renewal interval). Is this bug specific to NixOS or is this actually an upstream/lego thing?

[mawis]

Yes, indeed #138478 would solve my pain point of configuring every domain with the change. Thanks for the pointer to that issue.

[m1cr0man]

Default options tree added and documented in #147784