aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README11
-rw-r--r--config/letsencrypt-certs.conf6
-rw-r--r--lets-encrypt-x3-cross-signed.pem27
-rw-r--r--lets-encrypt-x4-cross-signed.pem27
-rwxr-xr-xletsencrypt6
-rw-r--r--letsencrypt-accountd.112
-rw-r--r--letsencrypt.114
7 files changed, 90 insertions, 13 deletions
diff --git a/README b/README
index 69a1859..37c531a 100644
--- a/README
+++ b/README
@@ -53,3 +53,14 @@ with its own executable:
"/.well-known/acme-challenge/" URI. By default some iptables(1)
rules are automatically installed to open the HTTP port, and removed
afterwards.
+
+Consult the manuals for more information.
+
+ https://guilhem.org/man/letsencrypt.1.html
+ https://guilhem.org/man/letsencrypt-accountd.1.html
+
+_______________________________________________________________________
+
+letsencrypt is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and
+licensed for use under the GNU General Public License version 3 or
+later. See ‘COPYING’ for specific terms and distribution information.
diff --git a/config/letsencrypt-certs.conf b/config/letsencrypt-certs.conf
index 5613ef6..2ee9b20 100644
--- a/config/letsencrypt-certs.conf
+++ b/config/letsencrypt-certs.conf
@@ -26,7 +26,7 @@
# Path to the issuer's certificate. This is used for certificate-chain
# and to verify the validity of each issued certificate. Specifying an
# empty value skip certificate validation.
-#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem
+#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem
# Subject field of the Certificate Signing Request. This option is
# required.
@@ -44,13 +44,13 @@
# Command to pass the the system's command shell ("/bin/sh -c") after
# successful installation of the certificate and/or certificate-chain.
-#notify = /bin/systemctl restart nginx
+#notify = /bin/systemctl reload nginx
#[smtp]
#certificate-key = /etc/postfix/ssl/srv.key
#certificate-chain = /etc/postfix/ssl/srv.pem
#subject = /CN=smtp.example.org
-#notify = /bin/systemctl restart postfix
+#notify = /bin/systemctl reload postfix
; vim:ft=dosini
diff --git a/lets-encrypt-x3-cross-signed.pem b/lets-encrypt-x3-cross-signed.pem
new file mode 100644
index 0000000..0002462
--- /dev/null
+++ b/lets-encrypt-x3-cross-signed.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----
diff --git a/lets-encrypt-x4-cross-signed.pem b/lets-encrypt-x4-cross-signed.pem
new file mode 100644
index 0000000..c0b4eb6
--- /dev/null
+++ b/lets-encrypt-x4-cross-signed.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc6bLEeMfizANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDEwMloXDTIxMDMxNzE2NDEwMlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFg0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA4SR0Qnu3kTHZc/84qtjORFy3OQrcRK4NvUW5lzdnr71QT1/T
+EFRr90HajmPmbVvA6ECpjEH80QOJ/2JhCWDWBwV4mpC9GmQ+T9zPdy+Ja8tnr0FN
+xY0AwGv+jYTctfKVMajo9pCgQ0qTdFyzPkNpS4kiR3RRPplkw80kAfmELyh3FyKn
+3cNsCExmLzd0xW+TjrBGNxZh0VCYyLAPT1hTfKz22i2WYVCtQ9wKpk+etVK5nI7v
+Tt9GszHcIPxpwqMgdT7sOBs2TmZm0t/1ZqSTL3umDpQ+YD1KSxxvurRNHDyRWG4v
+TcTacNvtATl2wEnn6TW1FAaQweWS4hD9a7m0hQIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTANBgkqhkiG9w0BAQsF
+AAOCAQEANlaeSdstfAtqFN3jdRZJFjx9X+Ob3PIDlekPYQ1OQ1Uw43rE1FUj7hUw
+g2MJKfs9b7M0WoQg7C20nJY/ajsg7pWhUG3J6rlkDTfVY9faeWi0qsPYXE6BpBDr
+5BrW/Xv8yT8U2BiEAmNggWq8dmFl82fghmLzHBM8X8NZ3ZwA1fGePA53AP5IoD+0
+ArpW8Ik1sSuQBjZ8oQLfN+G8OoY7MNRopyLyQQCNy4aWfE+xYnoVoa5+yr+aPiX0
+7YQrY/cKawAn7QB4PyF5//IKSAVs7mAuB68wbMdE3FKfOHfJ24W4z/bIJTrTY8Y5
+Sr4AUhtzf8oVDrHZYWRrP4joIcOu/Q==
+-----END CERTIFICATE-----
diff --git a/letsencrypt b/letsencrypt
index 23659d5..d11b569 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -410,6 +410,8 @@ sub acme_client($@) {
die "connect: $!";
}
+ # use execve(2) rather than a Perl pseudo-process to ensure that the
+ # child doesn't have access to the parent's memory
my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno
spawn({%$args{qw/in out/}, child => sub() {
drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');
@@ -448,8 +450,6 @@ sub spawn($@) {
} else {
open STDOUT, '>', '/dev/null' or die "Can't open /dev/null: $!";
}
- # use execve(2) rather than a Perl pseudo-process to ensure that
- # the child doesn't have access to the parent's memory
exec { $exec[0] } @exec or die;
}
push @CLEANUP, sub() {
@@ -604,7 +604,7 @@ elsif ($COMMAND eq 'new-cert') {
};
# verify certificate validity against the CA
- $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem';
+ $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem';
if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},
qw/-purpose sslserver -x509_strict/)) {
print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
diff --git a/letsencrypt-accountd.1 b/letsencrypt-accountd.1
index 41d7630..a06cdcc 100644
--- a/letsencrypt-accountd.1
+++ b/letsencrypt-accountd.1
@@ -142,6 +142,12 @@ Alternatively, use \fIssh\fR(1) to forward the socket and execute
\fBletsencrypt\fR(1), \fBssh\fR(1)
.SH AUTHOR
-Written by Guilhem Moulin
-.MT guilhem@fripost.org
-.ME .
+.ie \n[www-html] \{\
+ Written by
+. MTO guilhem@fripost.org "Guilhem Moulin" .
+\}
+.el \{\
+ Written by Guilhem Moulin
+. MT guilhem@fripost.org
+. ME .
+\}
diff --git a/letsencrypt.1 b/letsencrypt.1
index 2175bd2..1c4b0db 100644
--- a/letsencrypt.1
+++ b/letsencrypt.1
@@ -305,7 +305,7 @@ Path to the issuer's certificate. This is used for
\fIcertificate\-chain\fR and to verify the validity of each issued
certificate.
Specifying an empty value skip certificate validation.
-Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x1\-cross\-signed.pem\(rq.
+Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x3\-cross\-signed.pem\(rq.
.TP
.I hash
@@ -359,6 +359,12 @@ after successful installation of the \fIcertificate\fR and/or
\fBletsencrypt\-accountd\fR(1)
.SH AUTHOR
-Written by Guilhem Moulin
-.MT guilhem@fripost.org
-.ME .
+.ie \n[www-html] \{\
+ Written by
+. MTO guilhem@fripost.org "Guilhem Moulin" .
+\}
+.el \{\
+ Written by Guilhem Moulin
+. MT guilhem@fripost.org
+. ME .
+\}