|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| | Gbp-Dch: Ignore | 
| | |  | 
| | 
| 
| 
| 
| 
| | As well as the upstream test suite.
Closes: #1072847 | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | newOrder.
Instead of just "ready" → "valid", which may be what we observe when the
server is fast enough, but according to RFC 8555 sec. 7.1.6 the state
actually transitions via "processing" state and we need to account for
that.
It appears Let's Encrypt staging environment now has different timing
conditions and lacme is unable to request certificates due to this
issue.
Cherry-picked from 53238c70f7a12e233a6ca83cf2b50168e5b9592e.
Closes: #1034834 | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | _lacme-www shouldn't own any file or directories, but there might be
files on disk owned by _lacme-client when 'challenge-directory' is used.
See https://wiki.debian.org/AccountHandlingInMaintainerScripts#Reasons_for_not_deleting_accounts . | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Now part of the upstream build system. | 
| | |  | 
| | 
| 
| 
| 
| | lacme also works with earlier accountds, but might yield bad suprises
when the 'keyid' setting is set. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | See b54d248515357297d84a01cf45a42a6787c21240. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * The internal webserver now runs as a dedicated system user _lacme-www
    (and group nogroup) instead of www-data:www-data.  This is configurable
    in the [webserver] section of the lacme(8) configuration file.
  * The internal ACME client now runs as a dedicated system user _lacme-client
    (and group nogroup) instead of nobody:nogroup.  This is configurable in
    the [client] section of the lacme(8) configuration file.
  * The _lacme-www and _lacme-client system users are created automatically by
    lacme.postinst (hence a new Depends: adduser), and deleted on purge.  (So
    make sure not to chown any file to these internal users.) | 
| | 
| 
| 
| | And add "Forwarded: not-needed" annotations when relevant. | 
| |\  
| | 
| | 
| | | Release version 0.8.0 | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | | The staging environment wasn't set properly for the Debian packages. | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | | This saves a round trip and provides a safeguard against malicious
clients. | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | Passing the JWA to the ACME client is required if we want to support
account keys other than RSA.  As of 0.7 both lacme-accountd(1) and
lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1).
Passing the JWK thumbprint is handy as it gives more flexibility if RFC
8555 sec. 8.1 were to be updated with another digest algorithm (it's
currently hardcoded to SHA-256).  A single lacme-account(1) instance
might be used to sign requests from many clients, and it's easier to
upgrade a single ‘lacme-accountd’ than many ‘lacme’.  Moreover, in some
restricted environments lacme-accountd might hide the JWK from the
client to prevent ‘newAccount’ requests (such as contact updates);
passing its thumbprint is enough for ‘newOrder’ requests. | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | | Prefixed with a timestamp. | 
| | | 
| | 
| | 
| | | Before printing them to the standard error. | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | | It's an internal flag, but can be useful for authorized_keys(5)
restrictions. | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).
lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).
This also changes the default configuration file location.  lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user.  There is no fallback to /etc anymore. | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | 
| | 
| | 
| | | Not that it make a difference since we don't run suid. |