aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* Merge tag 'v0.8.3' into debian/latestGuilhem Moulin2024-06-1330
|\ | | | | | | Release version 0.8.3
| * Prepare new release v0.8.3.v0.8.3Guilhem Moulin2024-06-134
| |
| * Fix test suite.Guilhem Moulin2024-06-132
| | | | | | | | | | Since we don't pin staging intermediate certificates anymore we drop the test where the CA bundle contains only intermediates.
| * certs/*, cert-staging/*: Remove intermediate and expired certificates.Guilhem Moulin2024-06-1318
| | | | | | | | Only the root certificates are now used as trust anchor.
| * Fix post-issuance validation logic.Guilhem Moulin2024-06-133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than adding intermediates in the certificate bundle we now validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pining intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the Internet agile and more secure. It encourages automation and efficiency, and discourages outdated practices like key pinning. “Key Pinning” is a practice in which clients — either ACME clients getting certificates for their site, or apps connecting to their own backend servers — decide to trust only a single issuing intermediate certificate rather than delegating trust to the system trust store. Updating pinned keys is a manual process, which leads to an increased risk of errors and potential business continuity failures. — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
| * Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent ↵Guilhem Moulin2024-06-134
| | | | | | | | | | | | | | | | | | | | versions. OpenSSL 3.2 from Debian sid spews Warning: Reading certificate from stdin since no -in or -new option is given without an explicit `-in /dev/stdin`.
| * t/cert-extensions: Fix tr(1) range syntax.Guilhem Moulin2024-06-131
| |
| * t/cert-install: Ensure the subjectName is lowercase.Guilhem Moulin2024-06-131
| | | | | | | | | | | | | | | | | | Domain names are case insensitive so it shouldn't matter, but Let's Encrypt (staging) ACME server fails with 400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character) if the sub-domain part of the subjectName is left all-caps.
| * test: Fix test name in error messages.Guilhem Moulin2023-04-261
| |
| * tests/account-encrypted-*: Set TERM="linux".Guilhem Moulin2023-04-262
| |
* | Update changelog for 0.8.2-1 releasedebian/0.8.2-1Guilhem Moulin2023-04-251
| |
* | Merge tag 'v0.8.2' into debian/latestGuilhem Moulin2023-04-255
|\| | | | | | | Release version 0.8.2
| * Prepare new release v0.8.2.v0.8.2Guilhem Moulin2023-04-254
| |
| * tests: Point stretch's archive URL to archive.d.o.Guilhem Moulin2023-04-251
| | | | | | | | See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org .
| * client: Handle "ready" → "processing" → "valid" status change during ↵Guilhem Moulin2023-04-251
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | newOrder. Instead of just "ready" → "valid", which may be what we observe when the server is fast enough, but according to RFC 8555 sec. 7.1.6 the state actually transitions via "processing" state and we need to account for that. It appears Let's Encrypt staging environment now has different timing conditions and lacme is unable to request certificates due to this issue. Thanks to Alexander Borkowski for the report!
* | Update changelog for 0.8.1-1 releasedebian/0.8.1-1Guilhem Moulin2023-01-251
| |
* | Merge tag 'v0.8.1' into debian/latestGuilhem Moulin2023-01-2518
|\| | | | | | | Release version 0.8.1
| * Prepare new release v0.8.1.v0.8.1Guilhem Moulin2023-01-254
| |
| * Adjust test suite against current Let's Encrypt staging environment.Guilhem Moulin2023-01-257
| |
| * Replace '$(dir $@)' with '$(@D)' in Makefile.Guilhem Moulin2023-01-252
| |
| * lacme: pass a temporary JSON file with the client configuration to the ↵Guilhem Moulin2021-02-254
| | | | | | | | | | | | | | | | | | internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client.
| * lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl.Guilhem Moulin2021-02-252
| |
| * lacme: improve install_cert()'s handling of temporary files.Guilhem Moulin2021-02-241
| |
| * lacme: Return an error when the 'mode'/'chown' isn't a number.Guilhem Moulin2021-02-242
| | | | | | | | oct("foobar") is 0, definitely not what we want.
| * lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'.Guilhem Moulin2021-02-245
| |
| * lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵Guilhem Moulin2021-02-245
| | | | | | | | | | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files.
| * lacme: Don't write certificate(-chain) file on chown/chmod failure.Guilhem Moulin2021-02-243
| | | | | | | | | | | | | | | | | | Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too.
| * If restricting access via umask() fails, don't include errno in the error ↵Guilhem Moulin2021-02-243
| | | | | | | | | | | | | | message. errno is not set on umask failure, see https://perldoc.perl.org/functions/umask.
| * lacme: Ignore empty values in 'chown'/'chmod'/'certificate'/'certificate-chain'.Guilhem Moulin2021-02-242
| |
| * tests/cert-install: Include tests for failing chown(2).Guilhem Moulin2021-02-242
| | | | | | | | Due to unknown user/group name.
| * tab damageGuilhem Moulin2021-02-241
| |
| * typofixGuilhem Moulin2021-02-241
| |
| * tests/drop-privileges: Ensure failure to drop privileges yields an error.Guilhem Moulin2021-02-242
| | | | | | | | And doesn't retain root privileges.
| * lacme: When getpwnam()/getgrnam()'s errno is 0, exclude it from error messages.Guilhem Moulin2021-02-242
| |
| * lacme-accountd: Refactor logging logic.Guilhem Moulin2021-02-232
| |
| * lacme-accountd: don't log debug messages unless --debug is set.Guilhem Moulin2021-02-232
| |
| * Consolidate error messages.Guilhem Moulin2021-02-232
| |
| * lacme-accountd: panic() upon internal error of the signing routine.Guilhem Moulin2021-02-221
| | | | | | | | It might croak and we want to log that error also.
| * test suite: Avoid setting twice the ACME API server URL.Guilhem Moulin2021-02-221
| |
| * test: Allow prefixing test names with 'tests/'.Guilhem Moulin2021-02-221
| | | | | | | | It's handy to be able to run `./test tests/accountd*` or similar.
| * lacme-accountd: Refuse to sign JWS with an invalid Protected Header.Guilhem Moulin2021-02-223
| | | | | | | | | | | | | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2.
| * lacme-account: Improve log messages.Guilhem Moulin2021-02-225
| | | | | | | | Again…
| * accountd::conn(): Minor refactoring.Guilhem Moulin2021-02-221
| |
| * In lacme's the [accountd] config, let lacme-accountd(1) do the %-expansion ↵Guilhem Moulin2021-02-223
| | | | | | | | | | | | | | | | for 'config'. This matches the arguably expected behavior that ‘config = %h/foo’ is passed as ‘--config=%h/foo’ and resolved by lacme-accountd(1) (possibly remote and with another passwd database).
* | Update standards version to 4.6.2, no changes needed.Guilhem Moulin2022-12-201
| | | | | | | | | | | | Changes-By: lintian-brush Fixes: lintian: out-of-date-standards-version See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
* | Set field Upstream-Name in debian/copyright.Guilhem Moulin2022-12-201
| | | | | | | | Changes-By: lintian-brush
* | Merge branch 'multiarch-fixes' into 'debian/latest'Jelmer Vernooij2022-10-301
|\ \ | | | | | | | | | | | | Apply hints suggested by the multi-arch hinter See merge request debian/lacme!1
| * | Apply multi-arch hints.Debian Janitor2022-10-271
|/ / | | | | | | | | | | + lacme-accountd: Add Multi-Arch: foreign. Changes-By: apply-multiarch-hints
* | d/control: Improve long package descriptions.Guilhem Moulin2022-08-161
| |
* | Salsa CI: Remove default configuration file.Guilhem Moulin2022-08-161
| | | | | | | | | | | | Instead, set ‘recipes/debian.yml@salsa-ci-team/pipeline’ as CI/CD configuration file in the GitLab repository setting. Per recommendation from the Salsa CI maintainers: https://salsa.debian.org/salsa-ci-team/pipeline#debian-pipeline-for-developers .