aboutsummaryrefslogtreecommitdiffstats
path: root/Changelog
diff options
context:
space:
mode:
Diffstat (limited to 'Changelog')
-rw-r--r--Changelog102
1 files changed, 102 insertions, 0 deletions
diff --git a/Changelog b/Changelog
index 13db236..9f12237 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,105 @@
+lacme (0.8.0) upstream;
+
+ * Breaking change: 'challenge-directory' now needs to be set to an
+ *existing* directory (writable by the lacme client user). Since
+ lacme(8) spawns a builtin webserver by default the change doesn't
+ affect default configurations.
+ Thanks to Benjamin Tietz for the idea and initial patch.
+ * Breaking change: the 'iptables' option is now ignored unless the
+ builtin webserver is used.
+ * Unprivileged user/group for the internal client resp. webserver are
+ now configurable at install time.
+ * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e.,
+ forces renewal regardless of the expiration date of existing
+ certificates.
+ * Remove decomissioned intermediate CAs Authority X3 and X4 from the
+ bundle.
+ * Remove cross-signed intermediate CAs from the bundle and add the
+ (self-signed) ISRG Root X1 and X2 instead. This allows us to fully
+ validate provided X.509 chains using that self-contained bundle,
+ regardless of which CAs is marqued as trusted under /etc/ssl/certs.
+ This change bumps the minimum OpenSSL version to 1.1.0.
+ * Breaking change: lacme(8) and lacme-accountd(1) respectively load
+ their configuration file from /etc/lacme/lacme.conf resp.
+ /etc/lacme/lacme-accountd.conf when running as root, and
+ $XDG_CONFIG_HOME/lacme/lacme.conf resp.
+ $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal
+ user. There is no fallback to /etc anymore, and the lookup in the
+ current directory as prefered choice is removed too. However
+ lacme-accountd(1) can be used without configuration file under
+ ~/.config/lacme as it treats a non-existent default location as an
+ empty file.
+ * The client, webserver, and accountd commands are now split on
+ whitespace. This doesn't change the default behavior but allows
+ using `ssh -T lacme@account.example.net lacme-accountd` to spawn a
+ remote lacme-accountd server for instance.
+ * Add test suite against Let's Encrypt's staging environment
+ https://letsencrypt.org/docs/staging-environment/ .
+ * lacme(8)'s 'config' option in the [accountd] section no longer have a
+ default value. The previous default /etc/lacme/lacme-accountd.conf
+ is still honored when root privileges are preserved (the default).
+ * Deprecate setting 'privkey' in [accountd] section of the lacme(8)
+ configuration file. One need to use the lacme-accountd(1)
+ configuration file for that instead.
+ * lacme(8): add %-specifiers support for --config=, --socket=,
+ --config-certs= (and 'socket'/'config-certs'/'challenge-directory'
+ configuration options *before* privilege drop; and for the [accountd]
+ section 'command'/'config' configuration options *after* privilege
+ drop).
+ * lacme-accountd(1): add %-specifiers support for --config=, --socket=
+ and --privkey= (and 'socket'/'privkey' configuration options).
+ * lacme-accountd(1): base64url-decode incoming signature requests shown
+ in messages to the standard error.
+ * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming
+ signature requests to a file.
+ * lacme-accountd(1): new setting 'keyid' to easily revoke all account
+ management access from the client.
+ + Improve nginx/apache2 snippets for direct serving of challenge files
+ (with the new 'challenge-directory' logic symlinks can be disabled).
+ + Split Nginx and Apapche2 static configuration snippets into seperate
+ files. That way users prefering that over reverse-proxying can just
+ source/enable the relevant files without having to uncomment
+ anything.
+ + Add support for TLS Feature extension from RFC 7633; this is mostly
+ useful for OCSP Must-Staple.
+ + client: use "lacme-client/$VERSION" as User-Agent header.
+ + Consolidate error messages for consistency.
+ + Sanitize environment when spawning the lacme client, webserver and
+ accountd.
+ + accountd: replace internal option --conn-fd=FD with flag --stdio.
+ Using stdin/stdout makes it possible to tunnel the accountd
+ connection through ssh. The new flag is documented to allow safe
+ usage is authorized_keys(5) restrictions.
+ + Remove dependency on List::Util (core module).
+ + accountd: Pass JWA and JWK thumbprint via extended greeting data.
+ This gives better forward flexibility.
+ - lacme: delay webserver socket shutdown to after the process has
+ terminated.
+ - documentation: suggest to generate private key material with
+ genpkey(1ssl); also suggest a command to generate an ECDSA key not
+ just RSA; hint at which key algorithms are supported.
+ - documentation: clarify that "file:/path/to/account.key" can point to
+ a symmetrically-encrypted private key.
+ - documentation: emphasize default values in the config file, and move
+ the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to
+ the default section.
+ - Raise client timeout from 10 to 30s.
+ - Remove dependency on Types::Serialiser.
+ - client: fail immediately when the accountd is unreachable.
+ - Makefile: set executable bit for $(bindir)/lacme-accountd and
+ $(sbindir)/lacme.
+ - client: avoid "Use of uninitialized value in pattern match (m//)"
+ perl warnings when the accountd socket can't be reached.
+ - webserver: reopen stdin from /dev/null.
+ - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME
+ challenge directory.
+ - Set the DEBUG environment variable to 0/1 instead of ""/1.
+ - Use File::Basename::dirname() to correctly extract the parent
+ directory of the socket path.
+ - client: Print Terms of Service URL for 'account' command.
+
+ -- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 03:19:57 +0100
+
lacme (0.7) upstream;
* Breaking change: the certificate indicated by 'CAfile' is no longer