diff options
| -rw-r--r-- | Changelog | 17 | ||||
| -rw-r--r-- | Makefile | 1 | ||||
| -rw-r--r-- | config/lacme-certs.conf | 25 | ||||
| -rw-r--r-- | config/lacme.conf | 24 | ||||
| -rwxr-xr-x | lacme | 119 | ||||
| -rwxr-xr-x | lacme-accountd | 9 | ||||
| -rw-r--r-- | lacme.md | 33 | 
7 files changed, 148 insertions, 80 deletions
| @@ -1,3 +1,20 @@ +lacme (0.2) upstream; + +  + Honor Retry-After headers for certificate issuance and challenge +    responses. +  + Update example of Subscriber Agreement URL to v1.1.1. +  + lacme: automaticall spawn lacme-acountd when a "[accountd]" section +    is present in the configuration file.  The "socket" option is then +    ignored, and the two processes communicate through a socket pair. +  + lacme: add an option --quiet to avoid mentioning valid certs (useful +    in cronjobs) +  + "config-certs" now points to a space separated list of files or +    directories.  New default "lacme-certs.conf lacme-certs.conf.d/". +  - Minor manpage fixes +  - More useful message upon Validation Challenge failure. + + -- Guilhem Moulin <guilhem@guilhem.org>  Sat, 03 Dec 2016 16:40:56 +0100 +  lacme (0.1) upstream;    * Initial public release.  Development was started in December 2015. @@ -25,6 +25,7 @@ all: ${MANPAGES}  install: ${MANPAGES}  	install -d $(DESTDIR)/etc/lacme +	install -d $(DESTDIR)/etc/lacme/lacme-certs.conf.d  	install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf  	install -d $(DESTDIR)/usr/share/lacme  	install -m0644 -t $(DESTDIR)/usr/share/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 9b9df2f..12fcd54 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,49 +1,62 @@ -# Each non-default section denotes a separate certificate issuance. -# Options in the default section apply to each sections. +# Each non-default section refer to separate certificate issuance +# requests. Options in the default section apply to each sections.  # Message digest to sign the Certificate Signing Request with. +#  #hash = sha512  # Comma-separated list of Key Usages, see x509v3_config(5ssl). +#  #keyUsage = digitalSignature, keyEncipherment +  #[www] +# Path the service's private key.  This option is required. +# +#certificate-key = /etc/nginx/ssl/srv.key +  # Where to store the issued certificate (in PEM format). +#  #certificate = /etc/nginx/ssl/srv.pem  # Where to store the issued certificate, concatenated with the content  # of the file specified specified with the CAfile option (in PEM format). +#  #certificate-chain = /etc/nginx/ssl/srv.chain.pem -# Path the service's private key.  This option is required. -#certificate-key = /etc/nginx/ssl/srv.key -  # For an existing certificate, the minimum number of days before its  # expiration date the section is considered for re-issuance. +#  #min-days = 10  # Path to the issuer's certificate.  This is used for certificate-chain  # and to verify the validity of each issued certificate.  Specifying an  # empty value skip certificate validation. +#  #CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem  # Subject field of the Certificate Signing Request.  This option is  # required. +#  #subject = /CN=example.org  # Comma-separated list of Subject Alternative Names. +#  #subjectAltName = DNS:example.org,DNS:www.example.org  # username[:groupname] to chown the issued certificate and  # certificate-chain with. +#  #chown = root:root -# octal mode to chmod the issued certificate and certificate-chain with. +# Octal mode to chmod the issued certificate and certificate-chain with. +#  #chmod = 0644  # Command to pass the the system's command shell ("/bin/sh -c") after  # successful installation of the certificate and/or certificate-chain. +#  #notify = /bin/systemctl reload nginx diff --git a/config/lacme.conf b/config/lacme.conf index 39cfd36..c5efb03 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -1,9 +1,11 @@ -# For certificate issuance (new-cert command), specify the certificate -# configuration file to use +# For certificate issuance (new-cert command), specify a space-separated +# certificate configuration files or directories to use  # -#config-certs = /etc/lacme/lacme-certs.conf +#config-certs = lacme-certs.conf lacme-certs.conf.d/ +  [client] +  # The value of "socket" specifies the path to the lacme-accountd(1)  # UNIX-domain socket to connect to for signature requests from the ACME  # client.  lacme(1) aborts if the socket is readable or writable by @@ -25,10 +27,12 @@  # groupname to drop privileges to (setting both effective and real gid,  # and also setting the list of supplementary gids to that single group).  # Preserve root privileges if the value is empty (not recommended). +# Default: "nogroup".  #  #group = nogroup  # Path to the ACME client executable. +#  #command = /usr/lib/lacme/client  # Root URI of the ACME server.  NOTE: Use the staging server for testing @@ -43,12 +47,15 @@  #timeout = 10  # Whether to verify the server certificate chain. +#  #SSL_verify = yes  # Specify the version of the SSL protocol used to transmit data. +#  #SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2  # Specify the cipher list for the connection. +#  #SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL @@ -78,6 +85,7 @@  #group = www-data  # Path to the ACME webserver executable. +#  #command = /usr/lib/lacme/webserver  # Whether to automatically install iptables(8) rules to open the @@ -87,10 +95,10 @@  #iptables = Yes -# lacme-accound(1) section.  Comment out the following section to make -# lacme(1) connect to an existing UNIX-domain socket bound by a running -# acme-accountd(1) process.  [accountd] +# lacme-accound(1) section.  Comment out this section (including its +# header) to make lacme(1) connect to an existing UNIX-domain socket +# bound by a running acme-accountd(1) process.  # username to drop privileges to (setting both effective and real uid).  # Preserve root privileges if the value is empty. @@ -104,16 +112,20 @@  #group = root  # Path to the lacme-accountd(1) executable. +#  #command = /usr/bin/lacme-accountd  # Path to the lacme-accountd(1) configuration file. +#  #config = /etc/lacme/lacme-accountd.conf  # The (private) account key to use for signing requests.  See  # lacme-accountd(1) for details. +#  #privkey = file:/path/to/account.key  # Be quiet. +#  #quiet = Yes  ; vim:ft=dosini @@ -60,7 +60,7 @@ sub usage(;$$) {      }      exit $rv;  } -usage(1) unless GetOptions(\%OPTS, qw/config=s config-certs=s socket=s agreement-uri=s quiet|q debug help|h/); +usage(1) unless GetOptions(\%OPTS, qw/config=s config-certs=s@ socket=s agreement-uri=s quiet|q debug help|h/);  usage(0) if $OPTS{help};  $COMMAND = shift(@ARGV) // usage(1, "Missing command"); @@ -68,15 +68,15 @@ $COMMAND = $COMMAND =~ /\A(new-reg|reg=\p{Print}*|new-cert|revoke-cert)\z/ ? $1           : usage(1, "Invalid command: $COMMAND"); # validate and untaint $COMMAND  @ARGV = map { /\A(\p{Print}*)\z/ ? $1 : die } @ARGV; # untaint @ARGV +my $CONFFILENAME = $OPTS{config} // first { -f $_ } +   ( "./$NAME.conf" +   , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" +   , "/etc/lacme/$NAME.conf" +   );  do { -    my $conffile = $OPTS{config} // first { -f $_ } -        ( "./$NAME.conf" -        , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" -        , "/etc/lacme/$NAME.conf" -        ); -    die "Error: Can't find configuration file\n" unless defined $conffile; -    print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; -    open $CONFFILE, '<', $conffile or die "Can't open $conffile: $!\n"; +    die "Error: Can't find configuration file\n" unless defined $CONFFILENAME; +    print STDERR "Using configuration file: $CONFFILENAME\n" if $OPTS{debug}; +    open $CONFFILE, '<', $CONFFILENAME or die "Can't open $CONFFILENAME: $!\n";      my $conf = do { local $/ = undef, <$CONFFILE> };      # don't close $CONFFILE so we can pass it to the client @@ -395,38 +395,34 @@ sub spawn_webserver() {  # If $args->{in} is defined, the data is written to the client's STDIN.  # If $args->{out} is defined, its value is set to client's STDOUT data.  # -my $ACCOUNTD = 0;  sub acme_client($@) {      my $args = shift;      my @args = @_; -    my $client; +    my ($client, $cleanup);      my $conf = $CONFIG->{client};      if (defined (my $accountd = $CONFIG->{accountd})) { -        unless ($ACCOUNTD) { -            socketpair($client, my $s, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; -            my $pid = fork() // "fork: $!"; -            unless ($pid) { -                drop_privileges($accountd->{user}, $accountd->{group}, '/'); -                set_FD_CLOEXEC($s, 0); -                $client->close() or die "Can't close: $!"; -                my @cmd = ($accountd->{command}, '--fdopen='.fileno($s)); -                push @cmd, '--config='.$accountd->{config}   if defined $accountd->{config}; -                push @cmd, '--privkey='.$accountd->{privkey} if defined $accountd->{privkey}; -                push @cmd, '--quiet' unless lc $accountd->{quiet} eq 'no'; -                push @cmd, '--debug' if $OPTS{debug}; -                exec { $cmd[0] } @cmd or die; -            } -            print STDERR "[$$] Forking lacme-accountd, child PID $pid\n" if $OPTS{debug}; -            $ACCOUNTD = $pid; -            $s->close() or die "Can't close: $!"; -            push @CLEANUP, sub() { -                print STDERR "[$$] Shutting down lacme-accountd\n" if $OPTS{debug}; -                shutdown($client, SHUT_RDWR) or warn "shutdown: $!"; -                kill 15 => $pid; -                waitpid $pid => 0; -            }; +        socketpair($client, my $s, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; +        my $pid = fork() // "fork: $!"; +        unless ($pid) { +            drop_privileges($accountd->{user}, $accountd->{group}, '/'); +            set_FD_CLOEXEC($s, 0); +            $client->close() or die "Can't close: $!"; +            my @cmd = ($accountd->{command}, '--conn-fd='.fileno($s)); +            push @cmd, '--config='.$accountd->{config}   if defined $accountd->{config}; +            push @cmd, '--privkey='.$accountd->{privkey} if defined $accountd->{privkey}; +            push @cmd, '--quiet' unless lc $accountd->{quiet} eq 'no'; +            push @cmd, '--debug' if $OPTS{debug}; +            exec { $cmd[0] } @cmd or die;          } +        print STDERR "[$$] Forking lacme-accountd, child PID $pid\n" if $OPTS{debug}; +        $s->close() or die "Can't close: $!"; +        $cleanup = sub() { +            print STDERR "[$$] Shutting down lacme-accountd\n" if $OPTS{debug}; +            shutdown($client, SHUT_RDWR) or warn "shutdown: $!"; +            $client->close() or warn "close: $!"; +        }; +        push @CLEANUP, $cleanup;      }      else {          my @stat; @@ -455,12 +451,18 @@ sub acme_client($@) {      # child doesn't have access to the parent's memory      my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno      set_FD_CLOEXEC($client, 1); -    spawn({%$args{qw/in out/}, child => sub() { +    my $rv = spawn({%$args{qw/in out/}, child => sub() {          drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');          set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client);          seek($CONFFILE, SEEK_SET, 0) or die "Can't seek: $!";          $ENV{DEBUG} = $OPTS{debug};      }}, $conf->{command}, $COMMAND, @fileno, @args); + +    if (defined $cleanup) { +        @CLEANUP = grep { $_ ne $cleanup } @CLEANUP; +        $cleanup->(); +    } +    return $rv;  }  sub spawn($@) { @@ -557,24 +559,39 @@ if ($COMMAND eq 'new-reg' or $COMMAND =~ /^reg=/) {  # new-cert [SECTION ..]  #  elsif ($COMMAND eq 'new-cert') { +    my $conffiles = defined $OPTS{'config-certs'} ? $OPTS{'config-certs'} +                  : defined $CONFIG->{_}->{'config-certs'} ? [ split(/\s+/, $CONFIG->{_}->{'config-certs'}) ] +                  : [ "$NAME-certs.conf", "$NAME-certs.conf.d/" ];      my $conf; -    do { -        my $conffile = $OPTS{'config-certs'} // $CONFIG->{_}->{'config-certs'} // first { -f $_ } -            ( "./$NAME-certs.conf" -            , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME-certs.conf" -            , "/etc/lacme/$NAME-certs.conf" -            ); -        die "Error: Can't find certificate configuration file\n" unless defined $conffile; -        my $h = Config::Tiny::->read($conffile) or die Config::Tiny::->errstr()."\n"; -        my $defaults = delete $h->{_} // {}; -        my @valid = qw/certificate certificate-chain certificate-key min-days CAfile -                       hash keyUsage subject subjectAltName chown chmod notify/; -        foreach my $s (keys %$h) { -            $conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid }; -            die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}}; -            $conf->{$s}->{$_} //= $defaults->{$_} foreach keys %$defaults; +    foreach my $conffile (@$conffiles) { +        $conffile = ($CONFFILENAME =~ s#[^/]+\z##r).$conffile unless $conffile =~ /\A\//; +        my @filenames; +        unless ($conffile =~ s#/\z## or -d $conffile) { +            @filenames = ($conffile); +        } else { +            opendir my $dh, $conffile or die "Can't opendir $conffile: $!\n"; +            while (readdir $dh) { +                if (/\.conf\z/) { +                    push @filenames, "$conffile/$_"; +                } elsif ($_ ne '.' and $_ ne '..') { +                    warn "$conffile/$_ has unknown suffix, skipping\n"; +                } +            } +            closedir $dh;          } -    }; +        foreach my $filename (sort @filenames) { +            print STDERR "Reading $filename\n" if $OPTS{debug}; +            my $h = Config::Tiny::->read($filename) or die Config::Tiny::->errstr()."\n"; +            my $defaults = delete $h->{_} // {}; +            my @valid = qw/certificate certificate-chain certificate-key min-days CAfile +                           hash keyUsage subject subjectAltName chown chmod notify/; +            foreach my $s (keys %$h) { +                $conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid }; +                die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}}; +                $conf->{$s}->{$_} //= $defaults->{$_} foreach keys %$defaults; +            } +        } +    }      my $challenge_dir;      my $rv = 0; diff --git a/lacme-accountd b/lacme-accountd index 411538d..00d6ccd 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -59,7 +59,7 @@ sub usage(;$$) {      }      exit $rv;  } -usage(1) unless GetOptions(\%OPTS, qw/config=s privkey=s socket=s fdopen=i quiet|q debug help|h/); +usage(1) unless GetOptions(\%OPTS, qw/config=s privkey=s socket=s conn-fd=i quiet|q debug help|h/);  usage(0) if $OPTS{help};  do { @@ -137,8 +137,9 @@ $JWK = JSON::->new->encode($JWK);  # to support the abstract namespace.)  The downside is that we have to  # delete the file manually.  # -if (defined $OPTS{fdopen}) { -    die "Invalid file descriptor" unless $OPTS{fdopen} =~ /\A(\d+)\z/; +if (defined $OPTS{'conn-fd'}) { +    die "Invalid file descriptor" unless $OPTS{'conn-fd'} =~ /\A(\d+)\z/; +    # untaint and fdopen(3) our end of the socket pair      open $S, '+<&=', $1 or die "fdopen $1: $!";  } else {      my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef); @@ -182,7 +183,7 @@ sub conn($;$) {      }  } -if (defined $OPTS{fdopen}) { +if (defined $OPTS{'conn-fd'}) {      conn($S, $$);  } else {      $SIG{PIPE} = 'IGNORE'; # ignore broken pipes @@ -115,9 +115,13 @@ Generic options  :   Use *path* as the [`lacme-accountd`(1)] UNIX-domain socket to      connect to for signature requests from the [ACME] client.  `lacme`      aborts if `path` is readable or writable by other users, or if its -    parent directory is writable by other users.  This overrides the -    *socket* option of the [`[client]` section](#client-section) of the -    configuration file. +    parent directory is writable by other users. +    This command-line option overrides the *socket* option of the +    [`[client]` section](#client-section) of the configuration file. +    Moreover this option is ignored when the configuration file has an +    [`[accountd]` section](#accountd-section); in that case `lacme` +    spawns [`lacme-accountd`(1)], and the two processes communicate +    through a socket pair.  `-h`, `--help` @@ -147,9 +151,18 @@ Default section  *config-certs*  :   For certificate issuances (`new-cert` command), specify the -    certificate configuration file to use (see the **[certificate -    configuration file](#certificate-configuration-file)** section below -    for the configuration options). +    space-separated list of certificate configuration files or +    directories to use (see the **[certificate configuration +    file](#certificate-configuration-file)** section below for the +    configuration options). + +    Paths not starting with `/` are relative to the directory name of +    the **[configuration filename](#configuration-file)**.  The list of +    files and directories is processed in order, with the later items +    taking precedence.  Files in a directory are processed in +    lexicographic order, only considering the ones with suffix `.conf`. + +    Default: `lacme-certs.conf lacme-certs.conf.d/`.  `[client]` section  ------------------ @@ -299,12 +312,6 @@ Certificate configuration file  For certificate issuances (`new-cert` command), a separate file is used  to configure paths to the certificate and key, as well as the subject,  subjectAltName, etc. to generate Certificate Signing Requests. -If `--config-certs=` is not given, and if the `config-certs` -configuration option is absent, then `lacme` uses the first existing -configuration file among *./lacme-certs.conf*, -*$XDG_CONFIG_HOME/lacme/lacme-certs.conf* (or -*~/.config/lacme/lacme-certs.conf* if the `XDG_CONFIG_HOME` environment -variable is not set), and */etc/lacme/lacme-certs.conf*.  Each section denotes a separate certificate issuance.  Valid options are: @@ -383,7 +390,7 @@ Examples  ========      ~$ sudo lacme new-reg mailto:noreply@example.com -    ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf +    ~$ sudo lacme reg=/acme/reg/123456 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf      ~$ sudo lacme new-cert      ~$ sudo lacme revoke-cert /path/to/server/certificate.pem | 
