lacme/tests/cert-install, branch v0.8.3 Small ACME client written with process isolation and minimal privileges in mind Fix post-issuance validation logic. 2024-06-13T14:48:05+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T01:32:04+00:00 9cb882a468843bf8ce9598de8769d5baaaaae3ea Rather than adding intermediates in the certificate bundle we now validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pining intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the Internet agile and more secure. It encourages automation and efficiency, and discourages outdated practices like key pinning. “Key Pinning” is a practice in which clients — either ACME clients getting certificates for their site, or apps connecting to their own backend servers — decide to trust only a single issuing intermediate certificate rather than delegating trust to the system trust store. Updating pinned keys is a manual process, which leads to an increased risk of errors and potential business continuity failures. — https://letsencrypt.org/2024/03/19/new-intermediate-certificates: 
Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only).  Only the root certificates are used as trust
anchor.

Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:

    Rotating the set of intermediates we issue from helps keep the
    Internet agile and more secure.  It encourages automation and
    efficiency, and discourages outdated practices like key pinning.
    “Key Pinning” is a practice in which clients — either ACME clients
    getting certificates for their site, or apps connecting to their own
    backend servers — decide to trust only a single issuing intermediate
    certificate rather than delegating trust to the system trust store.
    Updating pinned keys is a manual process, which leads to an
    increased risk of errors and potential business continuity failures.
    — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent versions. 2024-06-13T13:41:12+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T01:33:20+00:00 bf4d2d13ffcd894c6e7765dbd366f1163c69c9e1 OpenSSL 3.2 from Debian sid spews Warning: Reading certificate from stdin since no -in or -new option is given without an explicit `-in /dev/stdin`. 
OpenSSL 3.2 from Debian sid spews

    Warning: Reading certificate from stdin since no -in or -new option is given

without an explicit `-in /dev/stdin`.
t/cert-install: Ensure the subjectName is lowercase. 2024-06-13T13:40:56+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T01:33:11+00:00 a41444b8b1fe5349a4a33c45f1e96036845609bb Domain names are case insensitive so it shouldn't matter, but Let's Encrypt (staging) ACME server fails with 400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character) if the sub-domain part of the subjectName is left all-caps. 
Domain names are case insensitive so it shouldn't matter, but Let's
Encrypt (staging) ACME server fails with

        400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character)

if the sub-domain part of the subjectName is left all-caps.
lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. 2021-02-24T20:32:06+00:00 Guilhem Moulin guilhem@fripost.org 2021-02-24T20:24:13+00:00 c6a4aaa6128d55ba5f7f3cd2bd75f789f69ae407 






lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions.
2021-02-24T20:32:01+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:01:12+00:00

c612a7ff44995f4f9c39fa0fb68470d90c88decf

Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.





Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.







lacme: Don't write certificate(-chain) file on chown/chmod failure.
2021-02-24T20:09:02+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T19:03:44+00:00

cdd025133a306cd8d3e81aa832ac056119d65f3a

Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.

This change also saves a chown(2) call.  And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.





Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.

This change also saves a chown(2) call.  And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.







tests/cert-install: Include tests for failing chown(2).
2021-02-24T12:19:21+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:19:21+00:00

539e3a8b8a2baf6746716125e99231da14a153a9

Due to unknown user/group name.





Due to unknown user/group name.







tab damage
2021-02-24T12:18:00+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:18:00+00:00

c96f887e5d8a1625f7dfb76d7f646499aead8eed












typofix
2021-02-24T12:17:43+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:17:43+00:00

bb3ef24a8d97dd9b0299cf23e4815c57c5ad7fb7












Add test suite against Let's Encrypt's staging environment.
2021-02-20T19:16:29+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-19T22:22:15+00:00

11d971bc07ceb4359565e6611ae03a0c0134d153

https://letsencrypt.org/docs/staging-environment/





https://letsencrypt.org/docs/staging-environment/