Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | lacme-accountd: new setting 'logfile' to log signature requests. | Guilhem Moulin | 2021-02-21 | 8 |
| | | | | Prefixed with a timestamp. | |||
* | lacme-accountd(1): base64url-decode incoming signature requests. | Guilhem Moulin | 2021-02-21 | 2 |
| | | | | Before printing them to the standard error. | |||
* | Documentation: Wrap commands in `…`. | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | Document `lacme-accountd --stdio`. | Guilhem Moulin | 2021-02-20 | 4 |
| | | | | | It's an internal flag, but can be useful for authorized_keys(5) restrictions. | |||
* | Add %-specifiers support. | Guilhem Moulin | 2021-02-20 | 11 |
| | | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. | |||
* | Wording: s/option/setting/. | Guilhem Moulin | 2021-02-20 | 4 |
| | ||||
* | wibble | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | typofix | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | Remove dependency on List::Util (core module). | Guilhem Moulin | 2021-02-20 | 3 |
| | ||||
* | Use real UID not effective UID in environment sanitation. | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | Not that it make a difference since we don't run suid. | |||
* | Symlink $(sysconfdir)/apache2/conf-available/lacme.conf → ↵ | Guilhem Moulin | 2021-02-20 | 2 |
| | | | | | | | ../../lacme/apache2.conf. This is useful for enabling the snippet with `a2enconf lacme`, cf. https://bugs.debian.org/955859 . | |||
* | Makefile wibble | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | Document spawning a remote lacme-accountd(1) instance. | Guilhem Moulin | 2021-02-20 | 3 |
| | | | | And add a test case for this. | |||
* | lacme-accountd: Don't error out when the default configuration file is missing. | Guilhem Moulin | 2021-02-20 | 2 |
| | | | | | Instead, treat it as an empty file. This makes it possible to use lacme-accountd(1) without configuration file under ~/.config/lacme. | |||
* | Add tests for OpenSSL- and GnuPG-encrypted account keys. | Guilhem Moulin | 2021-02-20 | 3 |
| | | | | These tests are not interactive! | |||
* | lacme: Preserve $GPG_TTY when spawning the accountd. | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | This is needed for gpg-encrypted privkeys. | |||
* | Deprecate setting 'privkey' in [accountd] section of the lacme(8) ↵ | Guilhem Moulin | 2021-02-20 | 5 |
| | | | | | | | configuration file. One need to use the lacme-accountd(1) configuration file for that instead. | |||
* | lacme(8)'s 'config' option in the [accountd] section no longer have a ↵ | Guilhem Moulin | 2021-02-20 | 4 |
| | | | | | | | | default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. | |||
* | Add test suite against Let's Encrypt's staging environment. | Guilhem Moulin | 2021-02-20 | 15 |
| | | | | https://letsencrypt.org/docs/staging-environment/ | |||
* | Update staging hierarchy. | Guilhem Moulin | 2021-02-20 | 9 |
| | | | | Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 . | |||
* | Use File::Basename::dirname(). | Guilhem Moulin | 2021-02-20 | 4 |
| | | | | | | To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’. | |||
* | accountd: replace internal option --conn-fd=FD with flag --stdio. | Guilhem Moulin | 2021-02-18 | 4 |
| | | | | | Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. | |||
* | Split client/webserver/accountd commands on whitespace. | Guilhem Moulin | 2021-02-18 | 4 |
| | | | | This doesn't change the default behavior. | |||
* | Set the DEBUG environment variable to 0/1 instead of ""/1. | Guilhem Moulin | 2021-02-18 | 2 |
| | ||||
* | Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge ↵ | Guilhem Moulin | 2021-02-18 | 2 |
| | | | | directory. | |||
* | webserver: reopen stdin from /dev/null. | Guilhem Moulin | 2021-02-18 | 2 |
| | | | | | Having both lacme(8) and its webserver component reading from the same standard input could yield starvation. | |||
* | Split Nginx and Apapche2 static configuration snippets into seperate files. | Guilhem Moulin | 2021-02-18 | 5 |
| | | | | | | That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything. | |||
* | Sanitize environment when spawning children. | Guilhem Moulin | 2021-02-18 | 2 |
| | | | | | Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and perserve $TERM), which matches the login(1) behavior. | |||
* | Consolidate error messages for consistency. | Guilhem Moulin | 2021-02-18 | 4 |
| | ||||
* | client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings. | Guilhem Moulin | 2021-02-18 | 2 |
| | | | | When the accountd socket can't be reached. | |||
* | Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. | Guilhem Moulin | 2021-02-18 | 2 |
| | ||||
* | Don't load configuration files from ./ by default. | Guilhem Moulin | 2021-02-18 | 5 |
| | | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories. | |||
* | client: use "lacme-client/$VERSION" as User-Agent header. | Guilhem Moulin | 2021-02-18 | 3 |
| | ||||
* | typofix | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | Add certs-staging/fake*.pem for tests using the staging environment. | Guilhem Moulin | 2021-02-18 | 3 |
| | | | | See https://letsencrypt.org/docs/staging-environment/ . | |||
* | typofix | Guilhem Moulin | 2021-02-15 | 1 |
| | ||||
* | Makefile: new 'release' target. | Guilhem Moulin | 2021-02-15 | 1 |
| | ||||
* | Add support for TLS Feature extension from RFC 7633. | Guilhem Moulin | 2021-02-15 | 3 |
| | | | | This is mostly useful for OCSP Must-Staple. | |||
* | Add certs/letsencryptauthorityx[12].pem | Guilhem Moulin | 2021-02-15 | 2 |
| | ||||
* | Bump copyright years. | Guilhem Moulin | 2021-02-15 | 5 |
| | ||||
* | Add (self-signed) ISRG Roots to the CA bundle. | Guilhem Moulin | 2021-02-15 | 6 |
| | | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options). | |||
* | Improve nginx/apache2 snippets for direct serving of challenge files. | Guilhem Moulin | 2021-02-14 | 3 |
| | | | | With the new 'challenge-directory' logic symlinks can be disabled. | |||
* | challenge-directory now needs to be set to an *existing* directory. | Guilhem Moulin | 2021-02-14 | 5 |
| | | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. | |||
* | lacme: allow direct use challenge-directory .well-known/acme-challenge | Benjamin Tietz | 2021-02-14 | 3 |
| | ||||
* | Rename debian branch to debian/latest. | Guilhem Moulin | 2021-02-14 | 1 |
| | | | | For DEP-14 compliance. | |||
* | Improve user/group documentation. | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | Improve keyUsage documentation. | Guilhem Moulin | 2021-02-12 | 2 |
| | ||||
* | wibble | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | client: fail immediately when the accountd is unreachable. | Guilhem Moulin | 2021-02-12 | 2 |
| | ||||
* | Replace Types::Serialiser::true with JSON::true. | Guilhem Moulin | 2021-02-12 | 3 |
| | | | | This removes the dependency on Types::Serialiser. |