diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-14 22:59:11 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-15 01:31:27 +0100 |
| commit | 2c1a396728a381685923f7b1c4dea53d225112fc (patch) | |
| tree | 2de0abe91788ea9c795e91eba38e69069412bfb1 /Changelog | |
| parent | 956764d11c9445c835f992a782d90d8de90fe565 (diff) | |
Add (self-signed) ISRG Roots to the CA bundle.
This allows us to fully validate provided X.509 chains using that
self-contained bundle, regardless of which CAs is marqued as trusted
under /etc/ssl/certs.
Also, remove cross-signed intermediate CAs from the bundle as they're
useless in a self-contained bundle.
Also, remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.
This change bumps the minimum OpenSSL version to 1.1.0 (for
verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
Diffstat (limited to 'Changelog')
| -rw-r--r-- | Changelog | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -12,6 +12,13 @@ lacme (0.7.1) upstream; * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. + * Remove decomissioned intermediate CAs Authority X3 and X4 from the + bundle. + * Remove cross-signed intermediate CAs from the bundle and add the + (self-signed) ISRG Root X1 and X2 instead. This allows us to fully + validate provided X.509 chains using that self-contained bundle, + regardless of which CAs is marqued as trusted under /etc/ssl/certs. + This change bumps the minimum OpenSSL version to 1.1.0. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). - lacme: delay webserver socket shutdown to after the process has |