lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. + lacme-accountd: refuse to sign JWS with an invalid Protected Header. + lacme: don't write certificate(-chain) file on chown/chmod failure. + lacme: default mode for certificate(-chain) creation is 0644 minus umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge files. + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. + lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl. + lacme: pass a temporary JSON file with the client configuration to the internal client, so it doesn't have to parse the INI file again. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. - lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error messages. - tests/drop-privileges: ensure failure to drop privileges yields an error instead of retaining root priviliges. - tests/cert-install: include tests for failing chown(2) due to unknown user/group name. - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate' and 'certificate-chain'. - lacme: return an error when the 'mode'/'chown' isn't a number. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 lacme (0.8.0) upstream; * Breaking change: 'challenge-directory' now needs to be set to an *existing* directory (writable by the lacme client user). Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. Thanks to Benjamin Tietz for the idea and initial patch. * Breaking change: the 'iptables' option is now ignored unless the builtin webserver is used. * Unprivileged user/group for the internal client resp. webserver are now configurable at install time. * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. * Remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. * Remove cross-signed intermediate CAs from the bundle and add the (self-signed) ISRG Root X1 and X2 instead. This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. This change bumps the minimum OpenSSL version to 1.1.0. * Breaking change: lacme(8) and lacme-accountd(1) respectively load their configuration file from /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore, and the lookup in the current directory as prefered choice is removed too. However lacme-accountd(1) can be used without configuration file under ~/.config/lacme as it treats a non-existent default location as an empty file. * The client, webserver, and accountd commands are now split on whitespace. This doesn't change the default behavior but allows using `ssh -T lacme@account.example.net lacme-accountd` to spawn a remote lacme-accountd server for instance. * Add test suite against Let's Encrypt's staging environment https://letsencrypt.org/docs/staging-environment/ . * lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default /etc/lacme/lacme-accountd.conf is still honored when root privileges are preserved (the default). * Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. * lacme(8): add %-specifiers support for --config=, --socket=, --config-certs= (and 'socket'/'config-certs'/'challenge-directory' configuration options *before* privilege drop; and for the [accountd] section 'command'/'config' configuration options *after* privilege drop). * lacme-accountd(1): add %-specifiers support for --config=, --socket= and --privkey= (and 'socket'/'privkey' configuration options). * lacme-accountd(1): base64url-decode incoming signature requests shown in messages to the standard error. * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming signature requests to a file. * lacme-accountd(1): new setting 'keyid' to easily revoke all account management access from the client. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate files. That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything. + Add support for TLS Feature extension from RFC 7633; this is mostly useful for OCSP Must-Staple. + client: use "lacme-client/$VERSION" as User-Agent header. + Consolidate error messages for consistency. + Sanitize environment when spawning the lacme client, webserver and accountd. + accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. The new flag is documented to allow safe usage is authorized_keys(5) restrictions. + Remove dependency on List::Util (core module). + accountd: Pass JWA and JWK thumbprint via extended greeting data. This gives better forward flexibility. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with genpkey(1ssl); also suggest a command to generate an ECDSA key not just RSA; hint at which key algorithms are supported. - documentation: clarify that "file:/path/to/account.key" can point to a symmetrically-encrypted private key. - documentation: emphasize default values in the config file, and move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. - Raise client timeout from 10 to 30s. - Remove dependency on Types::Serialiser. - client: fail immediately when the accountd is unreachable. - Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. - client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings when the accountd socket can't be reached. - webserver: reopen stdin from /dev/null. - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge directory. - Set the DEBUG environment variable to 0/1 instead of ""/1. - Use File::Basename::dirname() to correctly extract the parent directory of the socket path. - client: Print Terms of Service URL for 'account' command. -- Guilhem Moulin Mon, 22 Feb 2021 03:19:57 +0100 lacme (0.7) upstream; * Breaking change: the certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexibility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 + 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). -- Guilhem Moulin Wed, 25 Nov 2020 23:39:39 +0100 lacme (0.6.1) upstream; + Adapt Apache2 snippet to Apache2 2.4. + Ignore [accountd] section from lacme.conf when the --socket option is defined. This allows remotely-controlled lacme processes being controlled without modifying an config files. * Makefile: major refactoring, add install and uninstall targets, honor BUILD_DOCDIR and DESTDIR variables. * Install lacme manual to section 8. * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme. * Makefile: Use variables for target directories etc. -- Guilhem Moulin Tue, 04 Aug 2020 01:39:47 +0200 lacme (0.6) upstream; + client: poll order URL instead of each authz URL successively. + lacme: new option 'account --deactivate' for client-initiated account deactivation, see RFC 8555 sec. 7.3.6. - lacme, client: new dependency Date::Parse, don't parse RFC 3339 datetime strings from X.509 certs manually. - lacme: assume that the iptables(8) binaries are under /usr/sbin not /sbin. As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. - Link to RFC 8555 instead of the ACME I-D URL. - Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the authorizations, order and certificate URLs. -- Guilhem Moulin Wed, 21 Aug 2019 18:23:50 +0200 lacme (0.5) upstream; + Use ACME v2 endpoints (update protocol to the last draft of the spec https://tools.ietf.org/html/draft-ietf-acme-acme-12 ). Remove the 'reg=' command, and rename the 'new-reg', 'new-cert' and 'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert' respectively, to match the the URI resource names. For backward compatibility 'new-cert' and 'revoke-cert' remain supported. - Fix manpage generation with pandoc >=2.1 -- Guilhem Moulin Thu, 26 Apr 2018 16:48:13 +0200 lacme (0.4) upstream; * Fix generation of manpages with pandoc >=1.18 * Copy snippets/*.conf to /etc/lacme -- Guilhem Moulin Fri, 28 Jul 2017 00:16:06 +0200 lacme (0.3) upstream; + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain socket by default . + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. + Change 'min-days' default from 10 to 21, to avoid expiration notices from Let's Encrypt when auto-renewal is done by a cronjob. + Provide nginx and apache2 configuration snippets. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. - new-cert: new CLI option "min-days" overriding the value found in the configuration file. - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3 extensions as critical in the CSR, following upstream fix of Boulder's issue #565. - webserver: refuse to follow symlink when serving ACME challenge responses. When dropping privileges to a dedicated UID (recommended) only the ACME client could write to its current directory anyway, so following symlinks was not a serious vulnerability. - lacme(1), lacme-accountd(1): fix version number shown with --version. - client: remove potential race when creating ACME challenge response files. - When using open with mode "<&=" or ">&=", ensure the expression (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 from Debian Jessie.) - Specify minimum required Perl version (v5.14.2). Moreover lacme(1) requires Socket 1.95 or later (for instance for IPPROTO_IPV6). -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 lacme (0.2) upstream; + Honor Retry-After headers for certificate issuance and challenge responses. + Update example of Subscriber Agreement URL to v1.1.1. + lacme: automaticall spawn lacme-acountd when a "[accountd]" section is present in the configuration file. The "socket" option is then ignored, and the two processes communicate through a socket pair. + lacme: add an option --quiet to avoid mentioning valid certs (useful in cronjobs) + "config-certs" now points to a space separated list of files or directories. New default "lacme-certs.conf lacme-certs.conf.d/". - Minor manpage fixes - More useful message upon Validation Challenge failure. - If restricting access via umask() fails, don't include errno in the error message as it's not set on failure. -- Guilhem Moulin Sat, 03 Dec 2016 16:40:56 +0100 lacme (0.1) upstream; * Initial public release. Development was started in December 2015. -- Guilhem Moulin Tue, 14 Jun 2016 17:30:58 +0200