Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Update changelog for 0.8.1-1 releasedebian/0.8.1-1 | Guilhem Moulin | 2023-01-25 | 1 |
| | ||||
* | Merge tag 'v0.8.1' into debian/latest | Guilhem Moulin | 2023-01-25 | 18 |
|\ | | | | | | | Release version 0.8.1 | |||
| * | Prepare new release v0.8.1.v0.8.1 | Guilhem Moulin | 2023-01-25 | 4 |
| | | ||||
| * | Adjust test suite against current Let's Encrypt staging environment. | Guilhem Moulin | 2023-01-25 | 7 |
| | | ||||
| * | Replace '$(dir $@)' with '$(@D)' in Makefile. | Guilhem Moulin | 2023-01-25 | 2 |
| | | ||||
| * | lacme: pass a temporary JSON file with the client configuration to the ↵ | Guilhem Moulin | 2021-02-25 | 4 |
| | | | | | | | | | | | | | | | | | | internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client. | |||
| * | lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl. | Guilhem Moulin | 2021-02-25 | 2 |
| | | ||||
| * | lacme: improve install_cert()'s handling of temporary files. | Guilhem Moulin | 2021-02-24 | 1 |
| | | ||||
| * | lacme: Return an error when the 'mode'/'chown' isn't a number. | Guilhem Moulin | 2021-02-24 | 2 |
| | | | | | | | | oct("foobar") is 0, definitely not what we want. | |||
| * | lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. | Guilhem Moulin | 2021-02-24 | 5 |
| | | ||||
| * | lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵ | Guilhem Moulin | 2021-02-24 | 5 |
| | | | | | | | | | | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files. | |||
| * | lacme: Don't write certificate(-chain) file on chown/chmod failure. | Guilhem Moulin | 2021-02-24 | 3 |
| | | | | | | | | | | | | | | | | | | Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too. | |||
| * | If restricting access via umask() fails, don't include errno in the error ↵ | Guilhem Moulin | 2021-02-24 | 3 |
| | | | | | | | | | | | | | | message. errno is not set on umask failure, see https://perldoc.perl.org/functions/umask. | |||
| * | lacme: Ignore empty values in 'chown'/'chmod'/'certificate'/'certificate-chain'. | Guilhem Moulin | 2021-02-24 | 2 |
| | | ||||
| * | tests/cert-install: Include tests for failing chown(2). | Guilhem Moulin | 2021-02-24 | 2 |
| | | | | | | | | Due to unknown user/group name. | |||
| * | tab damage | Guilhem Moulin | 2021-02-24 | 1 |
| | | ||||
| * | typofix | Guilhem Moulin | 2021-02-24 | 1 |
| | | ||||
| * | tests/drop-privileges: Ensure failure to drop privileges yields an error. | Guilhem Moulin | 2021-02-24 | 2 |
| | | | | | | | | And doesn't retain root privileges. | |||
| * | lacme: When getpwnam()/getgrnam()'s errno is 0, exclude it from error messages. | Guilhem Moulin | 2021-02-24 | 2 |
| | | ||||
| * | lacme-accountd: Refactor logging logic. | Guilhem Moulin | 2021-02-23 | 2 |
| | | ||||
| * | lacme-accountd: don't log debug messages unless --debug is set. | Guilhem Moulin | 2021-02-23 | 2 |
| | | ||||
| * | Consolidate error messages. | Guilhem Moulin | 2021-02-23 | 2 |
| | | ||||
| * | lacme-accountd: panic() upon internal error of the signing routine. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | | | | | It might croak and we want to log that error also. | |||
| * | test suite: Avoid setting twice the ACME API server URL. | Guilhem Moulin | 2021-02-22 | 1 |
| | | ||||
| * | test: Allow prefixing test names with 'tests/'. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | | | | | It's handy to be able to run `./test tests/accountd*` or similar. | |||
| * | lacme-accountd: Refuse to sign JWS with an invalid Protected Header. | Guilhem Moulin | 2021-02-22 | 3 |
| | | | | | | | | | | | | | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2. | |||
| * | lacme-account: Improve log messages. | Guilhem Moulin | 2021-02-22 | 5 |
| | | | | | | | | Again… | |||
| * | accountd::conn(): Minor refactoring. | Guilhem Moulin | 2021-02-22 | 1 |
| | | ||||
| * | In lacme's the [accountd] config, let lacme-accountd(1) do the %-expansion ↵ | Guilhem Moulin | 2021-02-22 | 3 |
| | | | | | | | | | | | | | | | | for 'config'. This matches the arguably expected behavior that ‘config = %h/foo’ is passed as ‘--config=%h/foo’ and resolved by lacme-accountd(1) (possibly remote and with another passwd database). | |||
* | | Update standards version to 4.6.2, no changes needed. | Guilhem Moulin | 2022-12-20 | 1 |
| | | | | | | | | | | | | Changes-By: lintian-brush Fixes: lintian: out-of-date-standards-version See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html | |||
* | | Set field Upstream-Name in debian/copyright. | Guilhem Moulin | 2022-12-20 | 1 |
| | | | | | | | | Changes-By: lintian-brush | |||
* | | Merge branch 'multiarch-fixes' into 'debian/latest' | Jelmer Vernooij | 2022-10-30 | 1 |
|\ \ | | | | | | | | | | | | | Apply hints suggested by the multi-arch hinter See merge request debian/lacme!1 | |||
| * | | Apply multi-arch hints. | Debian Janitor | 2022-10-27 | 1 |
|/ / | | | | | | | | | | | + lacme-accountd: Add Multi-Arch: foreign. Changes-By: apply-multiarch-hints | |||
* | | d/control: Improve long package descriptions. | Guilhem Moulin | 2022-08-16 | 1 |
| | | ||||
* | | Salsa CI: Remove default configuration file. | Guilhem Moulin | 2022-08-16 | 1 |
| | | | | | | | | | | | | Instead, set ‘recipes/debian.yml@salsa-ci-team/pipeline’ as CI/CD configuration file in the GitLab repository setting. Per recommendation from the Salsa CI maintainers: https://salsa.debian.org/salsa-ci-team/pipeline#debian-pipeline-for-developers . | |||
* | | Prepare new release.debian/0.8.0-2 | Guilhem Moulin | 2021-05-04 | 1 |
| | | ||||
* | | d/lacme.postrm: Don't delete system users on purge. | Guilhem Moulin | 2021-02-22 | 2 |
| | | | | | | | | | | | | | | _lacme-www shouldn't own any file or directories, but there might be files on disk owned by _lacme-client when 'challenge-directory' is used. See https://wiki.debian.org/AccountHandlingInMaintainerScripts#Reasons_for_not_deleting_accounts . | |||
* | | Prepare new release.debian/0.8.0-1 | Guilhem Moulin | 2021-02-22 | 3 |
| | | ||||
* | | d/lacme.install: include new configuration files and snippets. | Guilhem Moulin | 2021-02-22 | 2 |
| | | ||||
* | | d/lacme.links: Remove /etc/apache2/conf-available/lacme.conf. | Guilhem Moulin | 2021-02-22 | 2 |
| | | | | | | | | Now part of the upstream build system. | |||
* | | Add NEWS files with breaking changes. | Guilhem Moulin | 2021-02-22 | 2 |
| | | ||||
* | | d/control: Remove versioned Recommends: on lacme-accountd. | Guilhem Moulin | 2021-02-22 | 2 |
| | | | | | | | | | | lacme also works with earlier accountds, but might yield bad suprises when the 'keyid' setting is set. | |||
* | | d/copyright: Point Source: to the upstream repository. | Guilhem Moulin | 2021-02-22 | 2 |
| | | ||||
* | | d/copyright: Bump copyright years. | Guilhem Moulin | 2021-02-22 | 1 |
| | | ||||
* | | Bump copyright years. | Guilhem Moulin | 2021-02-22 | 1 |
| | | ||||
* | | d/control: lacme now require openssl 1.1.0 or later. | Guilhem Moulin | 2021-02-22 | 2 |
| | | ||||
* | | d/control: Remove libtypes-serialiser-perl from lacme's Depends. | Guilhem Moulin | 2021-02-22 | 2 |
| | | | | | | | | See b54d248515357297d84a01cf45a42a6787c21240. | |||
* | | Bump upstream version number. | Guilhem Moulin | 2021-02-22 | 1 |
| | | ||||
* | | Use dedicated system users for internal components. | Guilhem Moulin | 2021-02-22 | 5 |
| | | | | | | | | | | | | | | | | | | | | | | | | * The internal webserver now runs as a dedicated system user _lacme-www (and group nogroup) instead of www-data:www-data. This is configurable in the [webserver] section of the lacme(8) configuration file. * The internal ACME client now runs as a dedicated system user _lacme-client (and group nogroup) instead of nobody:nogroup. This is configurable in the [client] section of the lacme(8) configuration file. * The _lacme-www and _lacme-client system users are created automatically by lacme.postinst (hence a new Depends: adduser), and deleted on purge. (So make sure not to chown any file to these internal users.) | |||
* | | Refresh patches. | Guilhem Moulin | 2021-02-22 | 2 |
| | | | | | | | | And add "Forwarded: not-needed" annotations when relevant. |