diff options
| -rw-r--r-- | Changelog | 7 | ||||
| -rwxr-xr-x | client | 5 | ||||
| -rw-r--r-- | config/lacme.conf | 2 | ||||
| -rwxr-xr-x | lacme | 13 | ||||
| -rwxr-xr-x | lacme-accountd | 3 | ||||
| -rw-r--r-- | lacme.md | 4 | ||||
| -rw-r--r-- | snippets/apache2.conf (renamed from config/apache2.conf) | 2 | ||||
| -rw-r--r-- | snippets/nginx.conf (renamed from config/nginx.conf) | 2 | ||||
| -rwxr-xr-x | webserver | 3 | 
9 files changed, 25 insertions, 16 deletions
| @@ -5,7 +5,7 @@ lacme (0.3) upstream;    + new-cert: create certificate files atomically.    + webserver: allow listening to multiple addresses (useful when      dual IPv4/IPv6 stack is not supported).  Listen to a UNIX-domain -    socket by default </var/run/lacme.socket>. +    socket by default </var/run/lacme-www.socket>.    + webserver: don't install temporary iptables by default.  Hosts      without a public HTTP daemon listening on port 80 need to set the      'listen' option to [::] and/or 0.0.0.0, and possibly set the @@ -30,6 +30,11 @@ lacme (0.3) upstream;      --version.    - client: remove potential race when creating ACME challenge response      files. +  - When using open with mode "<&=" or ">&=", ensure the expression +    (fileno) is interpreted as an integer.  (This failed in Perl v5.14.2 +    from Debian Jessie.) +  - Specify minimum required Perl version (v5.14.2).  Moreover lacme(1) +    requires Socket 1.95 or later (for instance for IPPROTO_IPV6).   -- Guilhem Moulin <guilhem@guilhem.org>  Sun, 19 Feb 2017 13:08:41 +0100 @@ -18,6 +18,7 @@  # along with this program.  If not, see <http://www.gnu.org/licenses/>.  #---------------------------------------------------------------------- +use v5.14.2;  use strict;  use warnings; @@ -62,9 +63,9 @@ my $COMMAND = shift @ARGV // die;  # Untaint and fdopen(3) the configuration file and listening socket  (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $CONFFILE, '<&=', $1 or die "fdopen $1: $!"; +open (my $CONFFILE, '<&=', $1+0) or die "fdopen $1: $!";  (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $S, '+<&=', $1 or die "fdopen $1: $!"; +open (my $S, '+<&=', $1+0) or die "fdopen $1: $!";  ############################################################################# diff --git a/config/lacme.conf b/config/lacme.conf index 874bb1f..3cc1b34 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -62,7 +62,7 @@  # Comma- or space-separated list of addresses to listen on, for instance  # "0.0.0.0:80 [::]:80".  # -#listen = /var/run/lacme.socket +#listen = /var/run/lacme-www.socket  # Non-existent directory under which an external HTTP daemon is  # configured to serve GET requests for challenge files under @@ -18,6 +18,7 @@  # along with this program.  If not, see <http://www.gnu.org/licenses/>.  #---------------------------------------------------------------------- +use v5.14.2;  use strict;  use warnings; @@ -30,9 +31,9 @@ use File::Temp ();  use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/;  use List::Util 'first';  use POSIX (); -use Socket qw/AF_UNIX AF_INET AF_INET6 PF_UNIX PF_INET PF_INET6 PF_UNSPEC -              INADDR_ANY IN6ADDR_ANY IPPROTO_IPV6 -              SOCK_STREAM SOL_SOCKET SO_REUSEADDR SHUT_RDWR/; +use Socket 1.95 qw/AF_UNIX AF_INET AF_INET6 PF_UNIX PF_INET PF_INET6 PF_UNSPEC +                   INADDR_ANY IN6ADDR_ANY IPPROTO_IPV6 +                   SOCK_STREAM SOL_SOCKET SO_REUSEADDR SHUT_RDWR/;  use Config::Tiny ();  use Net::SSLeay (); @@ -96,7 +97,7 @@ do {              map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/          },          webserver => { -            listen                => '/var/run/lacme.socket', +            listen                => '/var/run/lacme-www.socket',              'challenge-directory' => undef,              user                  => 'www-data',              group                 => 'www-data', @@ -532,7 +533,7 @@ sub acme_client($@) {      # child doesn't have access to the parent's memory      my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno      set_FD_CLOEXEC($client, 1); -    my $rv = spawn({%$args{qw/in out/}, child => sub() { +    my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() {          drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');          set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client);          seek($CONFFILE, SEEK_SET, 0) or die "Can't seek: $!"; @@ -723,7 +724,7 @@ elsif ($COMMAND eq 'new-cert') {          }          # generate the CSR -        my $csr = gen_csr(%$conf{qw/certificate-key subject subjectAltName keyUsage hash/}) // do { +        my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key subject subjectAltName keyUsage hash/) // do {              print STDERR "[$s] Warning: Couldn't generate CSR, skipping\n";              $rv = 1;              next; diff --git a/lacme-accountd b/lacme-accountd index 547af59..80ede29 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -19,6 +19,7 @@  # along with this program.  If not, see <http://www.gnu.org/licenses/>.  #---------------------------------------------------------------------- +use v5.14.2;  use strict;  use warnings; @@ -140,7 +141,7 @@ $JWK = JSON::->new->encode($JWK);  if (defined $OPTS{'conn-fd'}) {      die "Invalid file descriptor" unless $OPTS{'conn-fd'} =~ /\A(\d+)\z/;      # untaint and fdopen(3) our end of the socket pair -    open $S, '+<&=', $1 or die "fdopen $1: $!"; +    open ($S, '+<&=', $1+0) or die "fdopen $1: $!";  } else {      my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef);      die "Missing socket option\n" unless defined $sockname; @@ -232,12 +232,12 @@ served during certificate issuance.      addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the      `:PORT` suffix is optional and defaults to the HTTP port 80), or an      absolute path of a UNIX-domain socket (created with mode `0666`). -    Default: `/var/run/lacme.socket`. +    Default: `/var/run/lacme-www.socket`.      **Note**: The default value is only suitable when an external HTTP      daemon is publicly reachable and passes all ACME challenge requests      to the webserver component through the UNIX-domain socket -    `/var/run/lacme.socket` (for instance using the provided +    `/var/run/lacme-www.socket` (for instance using the provided      `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration      snippets for each virtual host requiring authorization).  If there      is no HTTP daemon bound to port 80 one needs to set *listen* to diff --git a/config/apache2.conf b/snippets/apache2.conf index 20927fa..20bf2ad 100644 --- a/config/apache2.conf +++ b/snippets/apache2.conf @@ -5,7 +5,7 @@  # non-ssl one) of each virtual host requiring authorization.  <Location /.well-known/acme-challenge/> -  ProxyPass unix:///var/run/lacme.socket|http://127.0.0.1/.well-known/acme-challenge/ +  ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/    Order allow,deny    Allow from all  </Location> diff --git a/config/nginx.conf b/snippets/nginx.conf index 6753ff9..981bdc3 100644 --- a/config/nginx.conf +++ b/snippets/nginx.conf @@ -6,7 +6,7 @@  location ^~ /.well-known/acme-challenge/ {      # Pass ACME requests to lacme's webserver component -    proxy_pass http://unix:/var/run/lacme.socket; +    proxy_pass http://unix:/var/run/lacme-www.socket;      ## Alternatively, you can let nginx serve the requests by      ## setting 'challenge-directory' to '/var/www/acme-challenge' in @@ -19,6 +19,7 @@  # along with this program.  If not, see <http://www.gnu.org/licenses/>.  #---------------------------------------------------------------------- +use v5.14.2;  use strict;  use warnings; @@ -43,7 +44,7 @@ use Socket qw/AF_UNIX AF_INET AF_INET6/;  # Untaint and fdopen(3) the listening socket  (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $S, '+<&=', $1 or die "fdopen $1: $!"; +open (my $S, '+<&=', $1+0) or die "fdopen $1: $!";  my $ROOT = '/.well-known/acme-challenge';  close STDIN  or die "close: $!"; | 
