doc/release-notes: Add note about backwards compatibility in ACME module

Co-authored-by: Stéphan Kochen <git@stephank.nl>

1 files changed, 10 insertions, 0 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 072d4d7f779a8..165e3e13a78ef 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -429,6 +429,16 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment.
 
+- `security.acme.defaults.server` now has a default value instead of `null`.
+  This effectively uses the same server, the Let's Encrypt production server,
+  but makes the default explicit, instead of relying on the Lego default.
+
+  A side effect of this is that the directory in which account data is stored
+  changes and the ACME module will request a new account and new certificates
+  for all domains.  This may cause issues if you pin an `acccounturl` in a CAA
+  DNS record.  To avoid this, you
+  may set `security.acme.defaults.server = null` to keep the old hashes.
+
 - `security.pam.sshAgentAuth.enable` now requires `services.openssh.authorizedKeysFiles` to be non-empty,
   which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work.