diff options
Diffstat (limited to 'letsencrypt')
| -rwxr-xr-x | letsencrypt | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/letsencrypt b/letsencrypt index 23659d5..d11b569 100755 --- a/letsencrypt +++ b/letsencrypt @@ -410,6 +410,8 @@ sub acme_client($@) { die "connect: $!"; } + # use execve(2) rather than a Perl pseudo-process to ensure that the + # child doesn't have access to the parent's memory my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno spawn({%$args{qw/in out/}, child => sub() { drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/'); @@ -448,8 +450,6 @@ sub spawn($@) { } else { open STDOUT, '>', '/dev/null' or die "Can't open /dev/null: $!"; } - # use execve(2) rather than a Perl pseudo-process to ensure that - # the child doesn't have access to the parent's memory exec { $exec[0] } @exec or die; } push @CLEANUP, sub() { @@ -604,7 +604,7 @@ elsif ($COMMAND eq 'new-cert') { }; # verify certificate validity against the CA - $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem'; + $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem'; if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile}, qw/-purpose sslserver -x509_strict/)) { print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; |