diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-29 22:47:24 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-29 22:47:24 +0200 |
commit | 3a9a58b9556c4ccd07c10429c040e6c98781fd45 (patch) | |
tree | 7058ff1bfebb25d247111428d194a828e1cac253 /Changelog | |
parent | c8e2cd230a90b58b7e962f658fafb2d1306a579d (diff) | |
parent | d93660085ceba3f81631bba4744b23af7984cd9d (diff) |
Merge branch 'master' into debian
Diffstat (limited to 'Changelog')
-rw-r--r-- | Changelog | 13 |
1 files changed, 11 insertions, 2 deletions
@@ -4,7 +4,7 @@ lacme (0.3) upstream; lacme-certs.conf.d"), import the default section of files read earlier. + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when - dual-stack IPv4/IPv6 is not supported). Listen to a UNIX-domain + dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain socket by default </var/run/lacme.socket>. + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the @@ -12,7 +12,7 @@ lacme (0.3) upstream; 'iptables' option to Yes. + Change 'min-days' default from 10 to 21, to avoid expiration notices from Let's Encrypt when auto-renewal is done by a cronjob. - + Provide nginx configuration snippet. + + Provide nginx and apache2 configuration snippets. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. @@ -21,6 +21,15 @@ lacme (0.3) upstream; - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3 extensions as critical in the CSR, following upstream fix of Boulder's issue #565. + - webserver: refuse to follow symlink when serving ACME challenge + responses. When dropping privileges to a dedicated UID + (recommended) only the ACME client could write to its current + directory anyway, so following symlinks was not a serious + vulnerability. + - lacme(1), lacme-accountd(1): fix version number shown with + --version. + - client: remove potential race when creating ACME challenge response + files. -- Guilhem Moulin <guilhem@guilhem.org> Sun, 19 Feb 2017 13:08:41 +0100 |