ACME: Removing extraDomain from certificate does not work

[mweinelt]

Describe the bug

After removing a domain from my list of extraDomains the acme service or that certificate still tried to renew the validation for the removed domain, which was only left as a SAN in the existing certificate at this point.

This is caused by extraDomains not being part of the calculcated hash that would force a renewal of the certificate.

Steps To Reproduce

Steps to reproduce the behavior:

1. Request a certificate with an extraDomain
2. Drop the extraDomain
3. Renew and see how it still tries to renew the removed extraDomain

Expected behavior

Consider removed extraDomain entries for forced renewals.

Screenshots

n/a

Additional context

n/a

Notify maintainers

@m1cr0man

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.80, NixOS, 21.05pre-git (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.16`
 - nixpkgs: `/nix/store/04icm0sla3xs908n4vvzw95z5rarkyz7-dvzrqx9961f3m5inyakllsh34sxz3gv4-nixos-21.05-src`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: security.acme

[m1cr0man]

^ See my comment in the upstream ticket - I feel this would be better fixed in lego itself since surely it is unexpected behaviour. Coincidentally that ticket was opened just 3 days ago 😅

This would work much better than us hacking in a solution (as we already do), and means we can remove domainHash from the module entirely without causing any unwanted force-renewals.