| Commit message (Collapse) | Author | Age | Files |
| |
|
|
|
|
| |
And add a test case for this.
|
|
|
|
|
| |
Instead, treat it as an empty file. This makes it possible to use
lacme-accountd(1) without configuration file under ~/.config/lacme.
|
|
|
|
| |
These tests are not interactive!
|
|
|
|
| |
This is needed for gpg-encrypted privkeys.
|
|
|
|
|
|
|
| |
configuration file.
One need to use the lacme-accountd(1) configuration file for that
instead.
|
|
|
|
|
|
|
|
| |
default value.
The previous default, namely /etc/lacme/lacme-accountd.conf, is still
honored when there is the user running lacme doesn't have a
~/.config/lacme/lacme-account.conf configuration file.
|
|
|
|
| |
https://letsencrypt.org/docs/staging-environment/
|
|
|
|
| |
Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 .
|
|
|
|
|
|
| |
To correctly extract the parent directory of the socket path. The
previous returned an empty string when the socket path didn't contain
‘/’.
|
|
|
|
|
| |
Using stdin/stdout makes it possible to tunnel the accountd connection
through ssh.
|
|
|
|
| |
This doesn't change the default behavior.
|
| |
|
|
|
|
| |
directory.
|
|
|
|
|
| |
Having both lacme(8) and its webserver component reading from the same
standard input could yield starvation.
|
|
|
|
|
|
| |
That way users prefering that over reverse-proxying can just
source/enable the relevant files without having to uncomment
anything.
|
|
|
|
|
| |
Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and
perserve $TERM), which matches the login(1) behavior.
|
| |
|
|
|
|
| |
When the accountd socket can't be reached.
|
| |
|
|
|
|
|
|
|
| |
This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer
consider ./lacme.conf resp. ./lacme-accountd.conf as default location
for the configuration file. Doing so has security implications when
running these program from insecure directories.
|
| |
|
| |
|
|
|
|
| |
See https://letsencrypt.org/docs/staging-environment/ .
|
| |
|
| |
|
|
|
|
| |
This is mostly useful for OCSP Must-Staple.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to fully validate provided X.509 chains using that
self-contained bundle, regardless of which CAs is marqued as trusted
under /etc/ssl/certs.
Also, remove cross-signed intermediate CAs from the bundle as they're
useless in a self-contained bundle.
Also, remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.
This change bumps the minimum OpenSSL version to 1.1.0 (for
verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
|
|
|
|
| |
With the new 'challenge-directory' logic symlinks can be disabled.
|
|
|
|
|
|
|
| |
Since lacme(8) spawns a builtin webserver by default the change doesn't
affect default configurations.
See https://bugs.debian.org/970800 for the rationale.
|
| |
|
|
|
|
| |
For DEP-14 compliance.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This removes the dependency on Types::Serialiser.
|
| |
|
|
|
|
|
| |
Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the
expiration date of existing certificates.
|
|
|
|
| |
configurable.
|
| |
|
| |
|
|
|
|
|
| |
Also, move the most common options ('hash', 'keyUsage', 'CAfile',
'min-days') to the default section.
|
|
|
|
| |
symmetrically-encrypted private key.
|
| |
|
|
|
|
|
| |
* Also suggest a command to generate an ECDSA key not just RSA.
* Hint at which key algorithms are supported.
|
|
|
|
|
|
|
|
|
|
|
| |
To after the process has terminated. This solves a race condition
spewing
accept: Invalid argument at /usr/libexec/lacme/webserver line 80.
(harmless) errors.
Closes: deb#970458
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a breaking change. The certificate indicated by 'CAfile' is no
longer used as is in 'certificate-chain' (along with the leaf cert).
The chain returned by the ACME v2 endpoint is used instead. This allows
for more flexbility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt
which is a concatenation of all known active CA certificates (which
includes the previous default).
|