diff options
author | Guilhem Moulin <guilhem@debian.org> | 2021-02-22 03:30:32 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@debian.org> | 2021-02-22 03:30:32 +0100 |
commit | d1be19ea9484f4c48af2de54266465d49bb1281d (patch) | |
tree | 768da9388a9ea6ed42d8d818a6433a4871a1172e /Changelog | |
parent | 847ae99fb1ed73fd77c6ffd30f2c554ab5892fde (diff) | |
parent | 3eba02ef820a393bd5781be9f8fcda1611ae7c3d (diff) |
Merge tag 'v0.8.0' into debian/latest
Release version 0.8.0
Diffstat (limited to 'Changelog')
-rw-r--r-- | Changelog | 102 |
1 files changed, 102 insertions, 0 deletions
@@ -1,3 +1,105 @@ +lacme (0.8.0) upstream; + + * Breaking change: 'challenge-directory' now needs to be set to an + *existing* directory (writable by the lacme client user). Since + lacme(8) spawns a builtin webserver by default the change doesn't + affect default configurations. + Thanks to Benjamin Tietz for the idea and initial patch. + * Breaking change: the 'iptables' option is now ignored unless the + builtin webserver is used. + * Unprivileged user/group for the internal client resp. webserver are + now configurable at install time. + * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., + forces renewal regardless of the expiration date of existing + certificates. + * Remove decomissioned intermediate CAs Authority X3 and X4 from the + bundle. + * Remove cross-signed intermediate CAs from the bundle and add the + (self-signed) ISRG Root X1 and X2 instead. This allows us to fully + validate provided X.509 chains using that self-contained bundle, + regardless of which CAs is marqued as trusted under /etc/ssl/certs. + This change bumps the minimum OpenSSL version to 1.1.0. + * Breaking change: lacme(8) and lacme-accountd(1) respectively load + their configuration file from /etc/lacme/lacme.conf resp. + /etc/lacme/lacme-accountd.conf when running as root, and + $XDG_CONFIG_HOME/lacme/lacme.conf resp. + $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal + user. There is no fallback to /etc anymore, and the lookup in the + current directory as prefered choice is removed too. However + lacme-accountd(1) can be used without configuration file under + ~/.config/lacme as it treats a non-existent default location as an + empty file. + * The client, webserver, and accountd commands are now split on + whitespace. This doesn't change the default behavior but allows + using `ssh -T lacme@account.example.net lacme-accountd` to spawn a + remote lacme-accountd server for instance. + * Add test suite against Let's Encrypt's staging environment + https://letsencrypt.org/docs/staging-environment/ . + * lacme(8)'s 'config' option in the [accountd] section no longer have a + default value. The previous default /etc/lacme/lacme-accountd.conf + is still honored when root privileges are preserved (the default). + * Deprecate setting 'privkey' in [accountd] section of the lacme(8) + configuration file. One need to use the lacme-accountd(1) + configuration file for that instead. + * lacme(8): add %-specifiers support for --config=, --socket=, + --config-certs= (and 'socket'/'config-certs'/'challenge-directory' + configuration options *before* privilege drop; and for the [accountd] + section 'command'/'config' configuration options *after* privilege + drop). + * lacme-accountd(1): add %-specifiers support for --config=, --socket= + and --privkey= (and 'socket'/'privkey' configuration options). + * lacme-accountd(1): base64url-decode incoming signature requests shown + in messages to the standard error. + * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming + signature requests to a file. + * lacme-accountd(1): new setting 'keyid' to easily revoke all account + management access from the client. + + Improve nginx/apache2 snippets for direct serving of challenge files + (with the new 'challenge-directory' logic symlinks can be disabled). + + Split Nginx and Apapche2 static configuration snippets into seperate + files. That way users prefering that over reverse-proxying can just + source/enable the relevant files without having to uncomment + anything. + + Add support for TLS Feature extension from RFC 7633; this is mostly + useful for OCSP Must-Staple. + + client: use "lacme-client/$VERSION" as User-Agent header. + + Consolidate error messages for consistency. + + Sanitize environment when spawning the lacme client, webserver and + accountd. + + accountd: replace internal option --conn-fd=FD with flag --stdio. + Using stdin/stdout makes it possible to tunnel the accountd + connection through ssh. The new flag is documented to allow safe + usage is authorized_keys(5) restrictions. + + Remove dependency on List::Util (core module). + + accountd: Pass JWA and JWK thumbprint via extended greeting data. + This gives better forward flexibility. + - lacme: delay webserver socket shutdown to after the process has + terminated. + - documentation: suggest to generate private key material with + genpkey(1ssl); also suggest a command to generate an ECDSA key not + just RSA; hint at which key algorithms are supported. + - documentation: clarify that "file:/path/to/account.key" can point to + a symmetrically-encrypted private key. + - documentation: emphasize default values in the config file, and move + the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to + the default section. + - Raise client timeout from 10 to 30s. + - Remove dependency on Types::Serialiser. + - client: fail immediately when the accountd is unreachable. + - Makefile: set executable bit for $(bindir)/lacme-accountd and + $(sbindir)/lacme. + - client: avoid "Use of uninitialized value in pattern match (m//)" + perl warnings when the accountd socket can't be reached. + - webserver: reopen stdin from /dev/null. + - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME + challenge directory. + - Set the DEBUG environment variable to 0/1 instead of ""/1. + - Use File::Basename::dirname() to correctly extract the parent + directory of the socket path. + - client: Print Terms of Service URL for 'account' command. + + -- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 03:19:57 +0100 + lacme (0.7) upstream; * Breaking change: the certificate indicated by 'CAfile' is no longer |