aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
...
| * Use real UID not effective UID in environment sanitation.Guilhem Moulin2021-02-201
| | | | | | | | Not that it make a difference since we don't run suid.
| * Symlink $(sysconfdir)/apache2/conf-available/lacme.conf → ↵Guilhem Moulin2021-02-202
| | | | | | | | | | | | | | ../../lacme/apache2.conf. This is useful for enabling the snippet with `a2enconf lacme`, cf. https://bugs.debian.org/955859 .
| * Makefile wibbleGuilhem Moulin2021-02-201
| |
| * Document spawning a remote lacme-accountd(1) instance.Guilhem Moulin2021-02-203
| | | | | | | | And add a test case for this.
| * lacme-accountd: Don't error out when the default configuration file is missing.Guilhem Moulin2021-02-202
| | | | | | | | | | Instead, treat it as an empty file. This makes it possible to use lacme-accountd(1) without configuration file under ~/.config/lacme.
| * Add tests for OpenSSL- and GnuPG-encrypted account keys.Guilhem Moulin2021-02-203
| | | | | | | | These tests are not interactive!
| * lacme: Preserve $GPG_TTY when spawning the accountd.Guilhem Moulin2021-02-201
| | | | | | | | This is needed for gpg-encrypted privkeys.
| * Deprecate setting 'privkey' in [accountd] section of the lacme(8) ↵Guilhem Moulin2021-02-205
| | | | | | | | | | | | | | configuration file. One need to use the lacme-accountd(1) configuration file for that instead.
| * lacme(8)'s 'config' option in the [accountd] section no longer have a ↵Guilhem Moulin2021-02-204
| | | | | | | | | | | | | | | | default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file.
| * Add test suite against Let's Encrypt's staging environment.Guilhem Moulin2021-02-2015
| | | | | | | | https://letsencrypt.org/docs/staging-environment/
| * Update staging hierarchy.Guilhem Moulin2021-02-209
| | | | | | | | Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 .
| * Use File::Basename::dirname().Guilhem Moulin2021-02-204
| | | | | | | | | | | | To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’.
| * accountd: replace internal option --conn-fd=FD with flag --stdio.Guilhem Moulin2021-02-184
| | | | | | | | | | Using stdin/stdout makes it possible to tunnel the accountd connection through ssh.
| * Split client/webserver/accountd commands on whitespace.Guilhem Moulin2021-02-184
| | | | | | | | This doesn't change the default behavior.
| * Set the DEBUG environment variable to 0/1 instead of ""/1.Guilhem Moulin2021-02-182
| |
| * Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge ↵Guilhem Moulin2021-02-182
| | | | | | | | directory.
| * webserver: reopen stdin from /dev/null.Guilhem Moulin2021-02-182
| | | | | | | | | | Having both lacme(8) and its webserver component reading from the same standard input could yield starvation.
| * Split Nginx and Apapche2 static configuration snippets into seperate files.Guilhem Moulin2021-02-185
| | | | | | | | | | | | That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything.
| * Sanitize environment when spawning children.Guilhem Moulin2021-02-182
| | | | | | | | | | Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and perserve $TERM), which matches the login(1) behavior.
| * Consolidate error messages for consistency.Guilhem Moulin2021-02-184
| |
| * client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings.Guilhem Moulin2021-02-182
| | | | | | | | When the accountd socket can't be reached.
| * Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme.Guilhem Moulin2021-02-182
| |
| * Don't load configuration files from ./ by default.Guilhem Moulin2021-02-185
| | | | | | | | | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories.
| * client: use "lacme-client/$VERSION" as User-Agent header.Guilhem Moulin2021-02-183
| |
| * typofixGuilhem Moulin2021-02-181
| |
| * Add certs-staging/fake*.pem for tests using the staging environment.Guilhem Moulin2021-02-183
| | | | | | | | See https://letsencrypt.org/docs/staging-environment/ .
| * typofixGuilhem Moulin2021-02-151
| |
| * Makefile: new 'release' target.Guilhem Moulin2021-02-151
| |
| * Add support for TLS Feature extension from RFC 7633.Guilhem Moulin2021-02-153
| | | | | | | | This is mostly useful for OCSP Must-Staple.
| * Add certs/letsencryptauthorityx[12].pemGuilhem Moulin2021-02-152
| |
| * Bump copyright years.Guilhem Moulin2021-02-155
| |
| * Add (self-signed) ISRG Roots to the CA bundle.Guilhem Moulin2021-02-156
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
| * Improve nginx/apache2 snippets for direct serving of challenge files.Guilhem Moulin2021-02-143
| | | | | | | | With the new 'challenge-directory' logic symlinks can be disabled.
| * challenge-directory now needs to be set to an *existing* directory.Guilhem Moulin2021-02-145
| | | | | | | | | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale.
| * lacme: allow direct use challenge-directory .well-known/acme-challengeBenjamin Tietz2021-02-143
| |
| * Rename debian branch to debian/latest.Guilhem Moulin2021-02-141
| | | | | | | | For DEP-14 compliance.
| * Improve user/group documentation.Guilhem Moulin2021-02-121
| |
| * Improve keyUsage documentation.Guilhem Moulin2021-02-122
| |
| * wibbleGuilhem Moulin2021-02-121
| |
| * client: fail immediately when the accountd is unreachable.Guilhem Moulin2021-02-122
| |
| * Replace Types::Serialiser::true with JSON::true.Guilhem Moulin2021-02-123
| | | | | | | | This removes the dependency on Types::Serialiser.
| * Raise client timeout from 10 to 30s.Guilhem Moulin2021-02-124
| |
| * lacme: new flag `--force`.Guilhem Moulin2020-12-093
| | | | | | | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates.
| * Make unprivileged user/group for the internal client resp. webserver ↵Guilhem Moulin2020-12-095
| | | | | | | | configurable.
| * s/\.pem$/.crt/Guilhem Moulin2020-12-091
| |
| * Fix broken URLs.Guilhem Moulin2020-12-091
| |
| * documentation: emphasize default values in the config file.Guilhem Moulin2020-12-093
| | | | | | | | | | Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section.
| * documentation: clarify that "file:/path/to/account.key" can point to a ↵Guilhem Moulin2020-12-093
| | | | | | | | symmetrically-encrypted private key.
| * wibbleGuilhem Moulin2020-12-092
| |
| * documentation: suggest to generate private key material with genpkey(1ssl).Guilhem Moulin2020-12-094
| | | | | | | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported.