diff options
-rw-r--r-- | Changelog | 7 | ||||
-rwxr-xr-x | client | 5 | ||||
-rw-r--r-- | config/lacme.conf | 2 | ||||
-rwxr-xr-x | lacme | 13 | ||||
-rwxr-xr-x | lacme-accountd | 3 | ||||
-rw-r--r-- | lacme.md | 4 | ||||
-rw-r--r-- | snippets/apache2.conf (renamed from config/apache2.conf) | 2 | ||||
-rw-r--r-- | snippets/nginx.conf (renamed from config/nginx.conf) | 2 | ||||
-rwxr-xr-x | webserver | 3 |
9 files changed, 25 insertions, 16 deletions
@@ -5,7 +5,7 @@ lacme (0.3) upstream; + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain - socket by default </var/run/lacme.socket>. + socket by default </var/run/lacme-www.socket>. + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the @@ -30,6 +30,11 @@ lacme (0.3) upstream; --version. - client: remove potential race when creating ACME challenge response files. + - When using open with mode "<&=" or ">&=", ensure the expression + (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 + from Debian Jessie.) + - Specify minimum required Perl version (v5.14.2). Moreover lacme(1) + requires Socket 1.95 or later (for instance for IPPROTO_IPV6). -- Guilhem Moulin <guilhem@guilhem.org> Sun, 19 Feb 2017 13:08:41 +0100 @@ -18,6 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; @@ -62,9 +63,9 @@ my $COMMAND = shift @ARGV // die; # Untaint and fdopen(3) the configuration file and listening socket (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $CONFFILE, '<&=', $1 or die "fdopen $1: $!"; +open (my $CONFFILE, '<&=', $1+0) or die "fdopen $1: $!"; (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $S, '+<&=', $1 or die "fdopen $1: $!"; +open (my $S, '+<&=', $1+0) or die "fdopen $1: $!"; ############################################################################# diff --git a/config/lacme.conf b/config/lacme.conf index 874bb1f..3cc1b34 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -62,7 +62,7 @@ # Comma- or space-separated list of addresses to listen on, for instance # "0.0.0.0:80 [::]:80". # -#listen = /var/run/lacme.socket +#listen = /var/run/lacme-www.socket # Non-existent directory under which an external HTTP daemon is # configured to serve GET requests for challenge files under @@ -18,6 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; @@ -30,9 +31,9 @@ use File::Temp (); use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; use List::Util 'first'; use POSIX (); -use Socket qw/AF_UNIX AF_INET AF_INET6 PF_UNIX PF_INET PF_INET6 PF_UNSPEC - INADDR_ANY IN6ADDR_ANY IPPROTO_IPV6 - SOCK_STREAM SOL_SOCKET SO_REUSEADDR SHUT_RDWR/; +use Socket 1.95 qw/AF_UNIX AF_INET AF_INET6 PF_UNIX PF_INET PF_INET6 PF_UNSPEC + INADDR_ANY IN6ADDR_ANY IPPROTO_IPV6 + SOCK_STREAM SOL_SOCKET SO_REUSEADDR SHUT_RDWR/; use Config::Tiny (); use Net::SSLeay (); @@ -96,7 +97,7 @@ do { map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/ }, webserver => { - listen => '/var/run/lacme.socket', + listen => '/var/run/lacme-www.socket', 'challenge-directory' => undef, user => 'www-data', group => 'www-data', @@ -532,7 +533,7 @@ sub acme_client($@) { # child doesn't have access to the parent's memory my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno set_FD_CLOEXEC($client, 1); - my $rv = spawn({%$args{qw/in out/}, child => sub() { + my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() { drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/'); set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client); seek($CONFFILE, SEEK_SET, 0) or die "Can't seek: $!"; @@ -723,7 +724,7 @@ elsif ($COMMAND eq 'new-cert') { } # generate the CSR - my $csr = gen_csr(%$conf{qw/certificate-key subject subjectAltName keyUsage hash/}) // do { + my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key subject subjectAltName keyUsage hash/) // do { print STDERR "[$s] Warning: Couldn't generate CSR, skipping\n"; $rv = 1; next; diff --git a/lacme-accountd b/lacme-accountd index 547af59..80ede29 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -19,6 +19,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; @@ -140,7 +141,7 @@ $JWK = JSON::->new->encode($JWK); if (defined $OPTS{'conn-fd'}) { die "Invalid file descriptor" unless $OPTS{'conn-fd'} =~ /\A(\d+)\z/; # untaint and fdopen(3) our end of the socket pair - open $S, '+<&=', $1 or die "fdopen $1: $!"; + open ($S, '+<&=', $1+0) or die "fdopen $1: $!"; } else { my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef); die "Missing socket option\n" unless defined $sockname; @@ -232,12 +232,12 @@ served during certificate issuance. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). - Default: `/var/run/lacme.socket`. + Default: `/var/run/lacme-www.socket`. **Note**: The default value is only suitable when an external HTTP daemon is publicly reachable and passes all ACME challenge requests to the webserver component through the UNIX-domain socket - `/var/run/lacme.socket` (for instance using the provided + `/var/run/lacme-www.socket` (for instance using the provided `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration snippets for each virtual host requiring authorization). If there is no HTTP daemon bound to port 80 one needs to set *listen* to diff --git a/config/apache2.conf b/snippets/apache2.conf index 20927fa..20bf2ad 100644 --- a/config/apache2.conf +++ b/snippets/apache2.conf @@ -5,7 +5,7 @@ # non-ssl one) of each virtual host requiring authorization. <Location /.well-known/acme-challenge/> - ProxyPass unix:///var/run/lacme.socket|http://127.0.0.1/.well-known/acme-challenge/ + ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/ Order allow,deny Allow from all </Location> diff --git a/config/nginx.conf b/snippets/nginx.conf index 6753ff9..981bdc3 100644 --- a/config/nginx.conf +++ b/snippets/nginx.conf @@ -6,7 +6,7 @@ location ^~ /.well-known/acme-challenge/ { # Pass ACME requests to lacme's webserver component - proxy_pass http://unix:/var/run/lacme.socket; + proxy_pass http://unix:/var/run/lacme-www.socket; ## Alternatively, you can let nginx serve the requests by ## setting 'challenge-directory' to '/var/www/acme-challenge' in @@ -19,6 +19,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; @@ -43,7 +44,7 @@ use Socket qw/AF_UNIX AF_INET AF_INET6/; # Untaint and fdopen(3) the listening socket (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $S, '+<&=', $1 or die "fdopen $1: $!"; +open (my $S, '+<&=', $1+0) or die "fdopen $1: $!"; my $ROOT = '/.well-known/acme-challenge'; close STDIN or die "close: $!"; |