aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-14 22:59:11 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-15 01:31:27 +0100
commit2c1a396728a381685923f7b1c4dea53d225112fc (patch)
tree2de0abe91788ea9c795e91eba38e69069412bfb1
parent956764d11c9445c835f992a782d90d8de90fe565 (diff)
Add (self-signed) ISRG Roots to the CA bundle.
This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
-rw-r--r--Changelog7
-rw-r--r--INSTALL2
-rw-r--r--Makefile7
-rw-r--r--certs/isrg-root-x2.pem14
-rw-r--r--certs/isrgrootx1.pem31
-rwxr-xr-xlacme18
6 files changed, 67 insertions, 12 deletions
diff --git a/Changelog b/Changelog
index 72e4be6..7cef63c 100644
--- a/Changelog
+++ b/Changelog
@@ -12,6 +12,13 @@ lacme (0.7.1) upstream;
* lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e.,
forces renewal regardless of the expiration date of existing
certificates.
+ * Remove decomissioned intermediate CAs Authority X3 and X4 from the
+ bundle.
+ * Remove cross-signed intermediate CAs from the bundle and add the
+ (self-signed) ISRG Root X1 and X2 instead. This allows us to fully
+ validate provided X.509 chains using that self-contained bundle,
+ regardless of which CAs is marqued as trusted under /etc/ssl/certs.
+ This change bumps the minimum OpenSSL version to 1.1.0.
+ Improve nginx/apache2 snippets for direct serving of challenge files
(with the new 'challenge-directory' logic symlinks can be disabled).
- lacme: delay webserver socket shutdown to after the process has
diff --git a/INSTALL b/INSTALL
index a0fcb72..9ecb1bf 100644
--- a/INSTALL
+++ b/INSTALL
@@ -16,7 +16,7 @@ the following command:
apt-get install libconfig-tiny-perl libcrypt-openssl-rsa-perl libcrypt-openssl-bignum-perl libjson-perl
-lacme depends on OpenSSL and the following Perl modules:
+lacme depends on OpenSSL ≥1.1.0 and the following Perl modules:
- Config::Tiny
- Digest::SHA (core module)
diff --git a/Makefile b/Makefile
index afc5c71..fa830c4 100644
--- a/Makefile
+++ b/Makefile
@@ -13,13 +13,12 @@ $(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md
# used for validation, see https://letsencrypt.org/certificates/
$(BUILDDIR)/certs/ca-certificates.crt: \
- certs/letsencryptauthorityx[34].pem \
- certs/lets-encrypt-x[34]-cross-signed.pem \
+ certs/isrgrootx1.pem \
+ certs/isrg-root-x2.pem \
certs/lets-encrypt-r[34].pem \
- certs/lets-encrypt-r[34]-cross-signed.pem \
certs/lets-encrypt-e[12].pem
mkdir -pv -- $(BUILDDIR)/certs
- cat $^ >$@
+ cat -- $^ >$@
prefix ?= $(DESTDIR)
exec_prefix ?= $(prefix)
diff --git a/certs/isrg-root-x2.pem b/certs/isrg-root-x2.pem
new file mode 100644
index 0000000..7d903ed
--- /dev/null
+++ b/certs/isrg-root-x2.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----
diff --git a/certs/isrgrootx1.pem b/certs/isrgrootx1.pem
new file mode 100644
index 0000000..b85c803
--- /dev/null
+++ b/certs/isrgrootx1.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/lacme b/lacme
index 7ad7aa8..480778f 100755
--- a/lacme
+++ b/lacme
@@ -784,13 +784,17 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
next;
};
- # verify certificate validity against the CA
- $conf->{CAfile} //= '@@datadir@@/lacme/ca-certificates.crt';
- if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},
- qw/-purpose sslserver -x509_strict/)) {
- print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
- $rv = 1;
- next;
+ # verify certificate validity against the CA bundle
+ if ((my $CAfile = $conf->{CAfile} // '@@datadir@@/lacme/ca-certificates.crt') ne '') {
+ my %args = (in => $x509);
+ $args{out} = \*STDERR if $OPTS{debug};
+ my @options = ('-trusted', $CAfile, '-purpose', 'sslserver', '-x509_strict');
+ push @options, '-show_chain' if $OPTS{debug};
+ if (spawn(\%args, 'openssl', 'verify', @options)) {
+ print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
+ $rv = 1;
+ next;
+ }
}
# install certificate