lacme/tests, branch debian/latest Small ACME client written with process isolation and minimal privileges in mind Fix test suite. 2024-06-13T15:38:40+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T13:54:11+00:00 98e4397f5330245cb7f8a21054ab078c4d0bba82 Since we don't pin staging intermediate certificates anymore we drop the test where the CA bundle contains only intermediates. 
Since we don't pin staging intermediate certificates anymore we drop the
test where the CA bundle contains only intermediates.
Fix post-issuance validation logic. 2024-06-13T14:48:05+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T01:32:04+00:00 9cb882a468843bf8ce9598de8769d5baaaaae3ea Rather than adding intermediates in the certificate bundle we now validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pining intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the Internet agile and more secure. It encourages automation and efficiency, and discourages outdated practices like key pinning. “Key Pinning” is a practice in which clients — either ACME clients getting certificates for their site, or apps connecting to their own backend servers — decide to trust only a single issuing intermediate certificate rather than delegating trust to the system trust store. Updating pinned keys is a manual process, which leads to an increased risk of errors and potential business continuity failures. — https://letsencrypt.org/2024/03/19/new-intermediate-certificates: 
Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only).  Only the root certificates are used as trust
anchor.

Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:

    Rotating the set of intermediates we issue from helps keep the
    Internet agile and more secure.  It encourages automation and
    efficiency, and discourages outdated practices like key pinning.
    “Key Pinning” is a practice in which clients — either ACME clients
    getting certificates for their site, or apps connecting to their own
    backend servers — decide to trust only a single issuing intermediate
    certificate rather than delegating trust to the system trust store.
    Updating pinned keys is a manual process, which leads to an
    increased risk of errors and potential business continuity failures.
    — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent versions. 2024-06-13T13:41:12+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T01:33:20+00:00 bf4d2d13ffcd894c6e7765dbd366f1163c69c9e1 OpenSSL 3.2 from Debian sid spews Warning: Reading certificate from stdin since no -in or -new option is given without an explicit `-in /dev/stdin`. 
OpenSSL 3.2 from Debian sid spews

    Warning: Reading certificate from stdin since no -in or -new option is given

without an explicit `-in /dev/stdin`.
t/cert-extensions: Fix tr(1) range syntax. 2024-06-13T13:41:12+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T12:30:30+00:00 568656b1fcb60d451b4a5313876ef0b96ae8bbfd 






t/cert-install: Ensure the subjectName is lowercase.
2024-06-13T13:40:56+00:00

Guilhem Moulin
guilhem@fripost.org

2024-06-13T01:33:11+00:00

a41444b8b1fe5349a4a33c45f1e96036845609bb

Domain names are case insensitive so it shouldn't matter, but Let's
Encrypt (staging) ACME server fails with

        400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character)

if the sub-domain part of the subjectName is left all-caps.





Domain names are case insensitive so it shouldn't matter, but Let's
Encrypt (staging) ACME server fails with

        400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character)

if the sub-domain part of the subjectName is left all-caps.







tests/account-encrypted-*: Set TERM="linux".
2023-04-26T15:41:24+00:00

Guilhem Moulin
guilhem@fripost.org

2023-04-26T15:41:24+00:00

f84716c064312dd9dc0d149f0ec7a12f5c88c3af












tests: Point stretch's archive URL to archive.d.o.
2023-04-25T09:59:39+00:00

Guilhem Moulin
guilhem@fripost.org

2023-04-25T09:59:39+00:00

5d9d1ce570c0fa613e1dc2345047a0ff95f781c5

See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org .





See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org .







Adjust test suite against current Let's Encrypt staging environment.
2023-01-25T02:23:45+00:00

Guilhem Moulin
guilhem@fripost.org

2023-01-25T02:12:13+00:00

cb0b301e7a62a71d9e4454f9f7af5358c857c48c












lacme: pass a temporary JSON file with the client configuration to the internal client.
2021-02-25T09:30:22+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-25T00:41:59+00:00

9a8f705eddd18ccc9a24fe0e7efe6b5a87b2be09

So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.





So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.







lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'.
2021-02-24T20:32:06+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:24:13+00:00

c6a4aaa6128d55ba5f7f3cd2bd75f789f69ae407