diff options
-rw-r--r-- | README | 11 | ||||
-rw-r--r-- | config/letsencrypt-certs.conf | 6 | ||||
-rw-r--r-- | lets-encrypt-x3-cross-signed.pem | 27 | ||||
-rw-r--r-- | lets-encrypt-x4-cross-signed.pem | 27 | ||||
-rwxr-xr-x | letsencrypt | 6 | ||||
-rw-r--r-- | letsencrypt-accountd.1 | 12 | ||||
-rw-r--r-- | letsencrypt.1 | 14 |
7 files changed, 90 insertions, 13 deletions
@@ -53,3 +53,14 @@ with its own executable: "/.well-known/acme-challenge/" URI. By default some iptables(1) rules are automatically installed to open the HTTP port, and removed afterwards. + +Consult the manuals for more information. + + https://guilhem.org/man/letsencrypt.1.html + https://guilhem.org/man/letsencrypt-accountd.1.html + +_______________________________________________________________________ + +letsencrypt is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and +licensed for use under the GNU General Public License version 3 or +later. See ‘COPYING’ for specific terms and distribution information. diff --git a/config/letsencrypt-certs.conf b/config/letsencrypt-certs.conf index 5613ef6..2ee9b20 100644 --- a/config/letsencrypt-certs.conf +++ b/config/letsencrypt-certs.conf @@ -26,7 +26,7 @@ # Path to the issuer's certificate. This is used for certificate-chain # and to verify the validity of each issued certificate. Specifying an # empty value skip certificate validation. -#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem +#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem # Subject field of the Certificate Signing Request. This option is # required. @@ -44,13 +44,13 @@ # Command to pass the the system's command shell ("/bin/sh -c") after # successful installation of the certificate and/or certificate-chain. -#notify = /bin/systemctl restart nginx +#notify = /bin/systemctl reload nginx #[smtp] #certificate-key = /etc/postfix/ssl/srv.key #certificate-chain = /etc/postfix/ssl/srv.pem #subject = /CN=smtp.example.org -#notify = /bin/systemctl restart postfix +#notify = /bin/systemctl reload postfix ; vim:ft=dosini diff --git a/lets-encrypt-x3-cross-signed.pem b/lets-encrypt-x3-cross-signed.pem new file mode 100644 index 0000000..0002462 --- /dev/null +++ b/lets-encrypt-x3-cross-signed.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- diff --git a/lets-encrypt-x4-cross-signed.pem b/lets-encrypt-x4-cross-signed.pem new file mode 100644 index 0000000..c0b4eb6 --- /dev/null +++ b/lets-encrypt-x4-cross-signed.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc6bLEeMfizANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDEwMloXDTIxMDMxNzE2NDEwMlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFg0MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA4SR0Qnu3kTHZc/84qtjORFy3OQrcRK4NvUW5lzdnr71QT1/T +EFRr90HajmPmbVvA6ECpjEH80QOJ/2JhCWDWBwV4mpC9GmQ+T9zPdy+Ja8tnr0FN +xY0AwGv+jYTctfKVMajo9pCgQ0qTdFyzPkNpS4kiR3RRPplkw80kAfmELyh3FyKn +3cNsCExmLzd0xW+TjrBGNxZh0VCYyLAPT1hTfKz22i2WYVCtQ9wKpk+etVK5nI7v +Tt9GszHcIPxpwqMgdT7sOBs2TmZm0t/1ZqSTL3umDpQ+YD1KSxxvurRNHDyRWG4v +TcTacNvtATl2wEnn6TW1FAaQweWS4hD9a7m0hQIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTANBgkqhkiG9w0BAQsF +AAOCAQEANlaeSdstfAtqFN3jdRZJFjx9X+Ob3PIDlekPYQ1OQ1Uw43rE1FUj7hUw +g2MJKfs9b7M0WoQg7C20nJY/ajsg7pWhUG3J6rlkDTfVY9faeWi0qsPYXE6BpBDr +5BrW/Xv8yT8U2BiEAmNggWq8dmFl82fghmLzHBM8X8NZ3ZwA1fGePA53AP5IoD+0 +ArpW8Ik1sSuQBjZ8oQLfN+G8OoY7MNRopyLyQQCNy4aWfE+xYnoVoa5+yr+aPiX0 +7YQrY/cKawAn7QB4PyF5//IKSAVs7mAuB68wbMdE3FKfOHfJ24W4z/bIJTrTY8Y5 +Sr4AUhtzf8oVDrHZYWRrP4joIcOu/Q== +-----END CERTIFICATE----- diff --git a/letsencrypt b/letsencrypt index 23659d5..d11b569 100755 --- a/letsencrypt +++ b/letsencrypt @@ -410,6 +410,8 @@ sub acme_client($@) { die "connect: $!"; } + # use execve(2) rather than a Perl pseudo-process to ensure that the + # child doesn't have access to the parent's memory my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno spawn({%$args{qw/in out/}, child => sub() { drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/'); @@ -448,8 +450,6 @@ sub spawn($@) { } else { open STDOUT, '>', '/dev/null' or die "Can't open /dev/null: $!"; } - # use execve(2) rather than a Perl pseudo-process to ensure that - # the child doesn't have access to the parent's memory exec { $exec[0] } @exec or die; } push @CLEANUP, sub() { @@ -604,7 +604,7 @@ elsif ($COMMAND eq 'new-cert') { }; # verify certificate validity against the CA - $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem'; + $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem'; if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile}, qw/-purpose sslserver -x509_strict/)) { print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; diff --git a/letsencrypt-accountd.1 b/letsencrypt-accountd.1 index 41d7630..a06cdcc 100644 --- a/letsencrypt-accountd.1 +++ b/letsencrypt-accountd.1 @@ -142,6 +142,12 @@ Alternatively, use \fIssh\fR(1) to forward the socket and execute \fBletsencrypt\fR(1), \fBssh\fR(1) .SH AUTHOR -Written by Guilhem Moulin -.MT guilhem@fripost.org -.ME . +.ie \n[www-html] \{\ + Written by +. MTO guilhem@fripost.org "Guilhem Moulin" . +\} +.el \{\ + Written by Guilhem Moulin +. MT guilhem@fripost.org +. ME . +\} diff --git a/letsencrypt.1 b/letsencrypt.1 index 2175bd2..1c4b0db 100644 --- a/letsencrypt.1 +++ b/letsencrypt.1 @@ -305,7 +305,7 @@ Path to the issuer's certificate. This is used for \fIcertificate\-chain\fR and to verify the validity of each issued certificate. Specifying an empty value skip certificate validation. -Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x1\-cross\-signed.pem\(rq. +Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x3\-cross\-signed.pem\(rq. .TP .I hash @@ -359,6 +359,12 @@ after successful installation of the \fIcertificate\fR and/or \fBletsencrypt\-accountd\fR(1) .SH AUTHOR -Written by Guilhem Moulin -.MT guilhem@fripost.org -.ME . +.ie \n[www-html] \{\ + Written by +. MTO guilhem@fripost.org "Guilhem Moulin" . +\} +.el \{\ + Written by Guilhem Moulin +. MT guilhem@fripost.org +. ME . +\} |