aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* Merge tag 'v0.8.1' into debian/latestGuilhem Moulin2023-01-2518
|\ | | | | | | Release version 0.8.1
| * Prepare new release v0.8.1.v0.8.1Guilhem Moulin2023-01-254
| |
| * Adjust test suite against current Let's Encrypt staging environment.Guilhem Moulin2023-01-257
| |
| * Replace '$(dir $@)' with '$(@D)' in Makefile.Guilhem Moulin2023-01-252
| |
| * lacme: pass a temporary JSON file with the client configuration to the ↵Guilhem Moulin2021-02-254
| | | | | | | | | | | | | | | | | | internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client.
| * lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl.Guilhem Moulin2021-02-252
| |
| * lacme: improve install_cert()'s handling of temporary files.Guilhem Moulin2021-02-241
| |
| * lacme: Return an error when the 'mode'/'chown' isn't a number.Guilhem Moulin2021-02-242
| | | | | | | | oct("foobar") is 0, definitely not what we want.
| * lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'.Guilhem Moulin2021-02-245
| |
| * lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵Guilhem Moulin2021-02-245
| | | | | | | | | | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files.
| * lacme: Don't write certificate(-chain) file on chown/chmod failure.Guilhem Moulin2021-02-243
| | | | | | | | | | | | | | | | | | Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too.
| * If restricting access via umask() fails, don't include errno in the error ↵Guilhem Moulin2021-02-243
| | | | | | | | | | | | | | message. errno is not set on umask failure, see https://perldoc.perl.org/functions/umask.
| * lacme: Ignore empty values in 'chown'/'chmod'/'certificate'/'certificate-chain'.Guilhem Moulin2021-02-242
| |
| * tests/cert-install: Include tests for failing chown(2).Guilhem Moulin2021-02-242
| | | | | | | | Due to unknown user/group name.
| * tab damageGuilhem Moulin2021-02-241
| |
| * typofixGuilhem Moulin2021-02-241
| |
| * tests/drop-privileges: Ensure failure to drop privileges yields an error.Guilhem Moulin2021-02-242
| | | | | | | | And doesn't retain root privileges.
| * lacme: When getpwnam()/getgrnam()'s errno is 0, exclude it from error messages.Guilhem Moulin2021-02-242
| |
| * lacme-accountd: Refactor logging logic.Guilhem Moulin2021-02-232
| |
| * lacme-accountd: don't log debug messages unless --debug is set.Guilhem Moulin2021-02-232
| |
| * Consolidate error messages.Guilhem Moulin2021-02-232
| |
| * lacme-accountd: panic() upon internal error of the signing routine.Guilhem Moulin2021-02-221
| | | | | | | | It might croak and we want to log that error also.
| * test suite: Avoid setting twice the ACME API server URL.Guilhem Moulin2021-02-221
| |
| * test: Allow prefixing test names with 'tests/'.Guilhem Moulin2021-02-221
| | | | | | | | It's handy to be able to run `./test tests/accountd*` or similar.
| * lacme-accountd: Refuse to sign JWS with an invalid Protected Header.Guilhem Moulin2021-02-223
| | | | | | | | | | | | | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2.
| * lacme-account: Improve log messages.Guilhem Moulin2021-02-225
| | | | | | | | Again…
| * accountd::conn(): Minor refactoring.Guilhem Moulin2021-02-221
| |
| * In lacme's the [accountd] config, let lacme-accountd(1) do the %-expansion ↵Guilhem Moulin2021-02-223
| | | | | | | | | | | | | | | | for 'config'. This matches the arguably expected behavior that ‘config = %h/foo’ is passed as ‘--config=%h/foo’ and resolved by lacme-accountd(1) (possibly remote and with another passwd database).
* | Update standards version to 4.6.2, no changes needed.Guilhem Moulin2022-12-201
| | | | | | | | | | | | Changes-By: lintian-brush Fixes: lintian: out-of-date-standards-version See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
* | Set field Upstream-Name in debian/copyright.Guilhem Moulin2022-12-201
| | | | | | | | Changes-By: lintian-brush
* | Merge branch 'multiarch-fixes' into 'debian/latest'Jelmer Vernooij2022-10-301
|\ \ | | | | | | | | | | | | Apply hints suggested by the multi-arch hinter See merge request debian/lacme!1
| * | Apply multi-arch hints.Debian Janitor2022-10-271
|/ / | | | | | | | | | | + lacme-accountd: Add Multi-Arch: foreign. Changes-By: apply-multiarch-hints
* | d/control: Improve long package descriptions.Guilhem Moulin2022-08-161
| |
* | Salsa CI: Remove default configuration file.Guilhem Moulin2022-08-161
| | | | | | | | | | | | Instead, set ‘recipes/debian.yml@salsa-ci-team/pipeline’ as CI/CD configuration file in the GitLab repository setting. Per recommendation from the Salsa CI maintainers: https://salsa.debian.org/salsa-ci-team/pipeline#debian-pipeline-for-developers .
* | Prepare new release.debian/0.8.0-2Guilhem Moulin2021-05-041
| |
* | d/lacme.postrm: Don't delete system users on purge.Guilhem Moulin2021-02-222
| | | | | | | | | | | | | | _lacme-www shouldn't own any file or directories, but there might be files on disk owned by _lacme-client when 'challenge-directory' is used. See https://wiki.debian.org/AccountHandlingInMaintainerScripts#Reasons_for_not_deleting_accounts .
* | Prepare new release.debian/0.8.0-1Guilhem Moulin2021-02-223
| |
* | d/lacme.install: include new configuration files and snippets.Guilhem Moulin2021-02-222
| |
* | d/lacme.links: Remove /etc/apache2/conf-available/lacme.conf.Guilhem Moulin2021-02-222
| | | | | | | | Now part of the upstream build system.
* | Add NEWS files with breaking changes.Guilhem Moulin2021-02-222
| |
* | d/control: Remove versioned Recommends: on lacme-accountd.Guilhem Moulin2021-02-222
| | | | | | | | | | lacme also works with earlier accountds, but might yield bad suprises when the 'keyid' setting is set.
* | d/copyright: Point Source: to the upstream repository.Guilhem Moulin2021-02-222
| |
* | d/copyright: Bump copyright years.Guilhem Moulin2021-02-221
| |
* | Bump copyright years.Guilhem Moulin2021-02-221
| |
* | d/control: lacme now require openssl 1.1.0 or later.Guilhem Moulin2021-02-222
| |
* | d/control: Remove libtypes-serialiser-perl from lacme's Depends.Guilhem Moulin2021-02-222
| | | | | | | | See b54d248515357297d84a01cf45a42a6787c21240.
* | Bump upstream version number.Guilhem Moulin2021-02-221
| |
* | Use dedicated system users for internal components.Guilhem Moulin2021-02-225
| | | | | | | | | | | | | | | | | | | | | | | | * The internal webserver now runs as a dedicated system user _lacme-www (and group nogroup) instead of www-data:www-data. This is configurable in the [webserver] section of the lacme(8) configuration file. * The internal ACME client now runs as a dedicated system user _lacme-client (and group nogroup) instead of nobody:nogroup. This is configurable in the [client] section of the lacme(8) configuration file. * The _lacme-www and _lacme-client system users are created automatically by lacme.postinst (hence a new Depends: adduser), and deleted on purge. (So make sure not to chown any file to these internal users.)
* | Refresh patches.Guilhem Moulin2021-02-222
| | | | | | | | And add "Forwarded: not-needed" annotations when relevant.
* | Merge tag 'v0.8.0' into debian/latestGuilhem Moulin2021-02-2248
|\| | | | | | | Release version 0.8.0