lacme/Makefile, branch v0.8.3 Small ACME client written with process isolation and minimal privileges in mind Fix post-issuance validation logic. 2024-06-13T14:48:05+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T01:32:04+00:00 9cb882a468843bf8ce9598de8769d5baaaaae3ea Rather than adding intermediates in the certificate bundle we now validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pining intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the Internet agile and more secure. It encourages automation and efficiency, and discourages outdated practices like key pinning. “Key Pinning” is a practice in which clients — either ACME clients getting certificates for their site, or apps connecting to their own backend servers — decide to trust only a single issuing intermediate certificate rather than delegating trust to the system trust store. Updating pinned keys is a manual process, which leads to an increased risk of errors and potential business continuity failures. — https://letsencrypt.org/2024/03/19/new-intermediate-certificates: 
Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only).  Only the root certificates are used as trust
anchor.

Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:

    Rotating the set of intermediates we issue from helps keep the
    Internet agile and more secure.  It encourages automation and
    efficiency, and discourages outdated practices like key pinning.
    “Key Pinning” is a practice in which clients — either ACME clients
    getting certificates for their site, or apps connecting to their own
    backend servers — decide to trust only a single issuing intermediate
    certificate rather than delegating trust to the system trust store.
    Updating pinned keys is a manual process, which leads to an
    increased risk of errors and potential business continuity failures.
    — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
Replace '$(dir $@)' with '$(@D)' in Makefile. 2023-01-25T02:11:22+00:00 Guilhem Moulin guilhem@fripost.org 2023-01-25T02:11:22+00:00 40a4c9b9be51f9c41edd8b421dd629e001659fb4 






Make the ACME API server URL configurable at build time.
2021-02-21T02:00:48+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-21T01:55:46+00:00

626c0418b3d8c3747a7be8e2620d7c85a8c2c613












Add %-specifiers support.
2021-02-20T21:13:41+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-18T20:07:01+00:00

0ef94d85e58497dcb2c4c954cadcac918032467a

lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).

lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).

This also changes the default configuration file location.  lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user.  There is no fallback to /etc anymore.





lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).

lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).

This also changes the default configuration file location.  lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user.  There is no fallback to /etc anymore.







typofix
2021-02-20T19:16:34+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-18T23:48:40+00:00

2114bd775df342f3491cdd839031254041b655ae












Symlink $(sysconfdir)/apache2/conf-available/lacme.conf → ../../lacme/apache2.conf.
2021-02-20T19:16:34+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-18T15:11:24+00:00

8d7b50989d1c446b81c73e8ababfce6f0351ee59

This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 .





This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 .







Makefile wibble
2021-02-20T19:16:34+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-18T15:05:31+00:00

e3a3f59865290ea70de66ffa3b017916aac3ffef












Update staging hierarchy.
2021-02-20T17:29:25+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-19T22:15:52+00:00

c214f20a835d0da4bd0c5a85a4bd9089fc4febcb

Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 .





Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 .







Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme.
2021-02-17T23:42:32+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-17T10:34:33+00:00

bddbc17b87f3de29657f1dd2b9a065901e955c15












client: use "lacme-client/$VERSION" as User-Agent header.
2021-02-17T23:42:32+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-16T00:06:01+00:00

c75bc6c37840b8fc2c57424d24c06a0bfe399de6