Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | lacme-accountd: don't log debug messages unless --debug is set. | Guilhem Moulin | 2021-02-23 | 2 |
| | ||||
* | Consolidate error messages. | Guilhem Moulin | 2021-02-23 | 2 |
| | ||||
* | lacme-accountd: panic() upon internal error of the signing routine. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | It might croak and we want to log that error also. | |||
* | test suite: Avoid setting twice the ACME API server URL. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | test: Allow prefixing test names with 'tests/'. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | It's handy to be able to run `./test tests/accountd*` or similar. | |||
* | lacme-accountd: Refuse to sign JWS with an invalid Protected Header. | Guilhem Moulin | 2021-02-22 | 3 |
| | | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2. | |||
* | lacme-account: Improve log messages. | Guilhem Moulin | 2021-02-22 | 5 |
| | | | | Again… | |||
* | accountd::conn(): Minor refactoring. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | In lacme's the [accountd] config, let lacme-accountd(1) do the %-expansion ↵ | Guilhem Moulin | 2021-02-22 | 3 |
| | | | | | | | | for 'config'. This matches the arguably expected behavior that ‘config = %h/foo’ is passed as ‘--config=%h/foo’ and resolved by lacme-accountd(1) (possibly remote and with another passwd database). | |||
* | Prepare new release v0.8.0.v0.8.0 | Guilhem Moulin | 2021-02-22 | 4 |
| | ||||
* | tests: Check presence of extra greeting data. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | Fix `./test --deb`. | Guilhem Moulin | 2021-02-22 | 3 |
| | | | | The staging environment wasn't set properly for the Debian packages. | |||
* | Print error messages only once. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | space damage | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | client: Print Terms of Service URL for 'account' command. | Guilhem Moulin | 2021-02-22 | 2 |
| | ||||
* | logfile: treat empty values as unset. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | Add 'logfile' to lacme-account.conf. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | lacme-accountd(1): new setting 'keyid'. | Guilhem Moulin | 2021-02-22 | 6 |
| | | | | | This saves a round trip and provides a safeguard against malicious clients. | |||
* | accountd: Improve log message for incoming requests. | Guilhem Moulin | 2021-02-21 | 3 |
| | ||||
* | accountd: Pass JWA and JWK thumbprint via extended greeting data. | Guilhem Moulin | 2021-02-21 | 3 |
| | | | | | | | | | | | | | | | Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests. | |||
* | Add IPC tests with an old lacme(8) resp. lacme-accountd(1). | Guilhem Moulin | 2021-02-21 | 2 |
| | ||||
* | wording | Guilhem Moulin | 2021-02-21 | 5 |
| | ||||
* | wording | Guilhem Moulin | 2021-02-21 | 2 |
| | ||||
* | accountd: Fix prototype. | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | test suite: Don't try to show stderr if it's empty. | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | test suite: Indicate which tests have passed. | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | Make the ACME API server URL configurable at build time. | Guilhem Moulin | 2021-02-21 | 5 |
| | ||||
* | lacme-accountd: new setting 'logfile' to log signature requests. | Guilhem Moulin | 2021-02-21 | 8 |
| | | | | Prefixed with a timestamp. | |||
* | lacme-accountd(1): base64url-decode incoming signature requests. | Guilhem Moulin | 2021-02-21 | 2 |
| | | | | Before printing them to the standard error. | |||
* | Documentation: Wrap commands in `…`. | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | Document `lacme-accountd --stdio`. | Guilhem Moulin | 2021-02-20 | 4 |
| | | | | | It's an internal flag, but can be useful for authorized_keys(5) restrictions. | |||
* | Add %-specifiers support. | Guilhem Moulin | 2021-02-20 | 11 |
| | | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. | |||
* | Wording: s/option/setting/. | Guilhem Moulin | 2021-02-20 | 4 |
| | ||||
* | wibble | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | typofix | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | Remove dependency on List::Util (core module). | Guilhem Moulin | 2021-02-20 | 3 |
| | ||||
* | Use real UID not effective UID in environment sanitation. | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | Not that it make a difference since we don't run suid. | |||
* | Symlink $(sysconfdir)/apache2/conf-available/lacme.conf → ↵ | Guilhem Moulin | 2021-02-20 | 2 |
| | | | | | | | ../../lacme/apache2.conf. This is useful for enabling the snippet with `a2enconf lacme`, cf. https://bugs.debian.org/955859 . | |||
* | Makefile wibble | Guilhem Moulin | 2021-02-20 | 1 |
| | ||||
* | Document spawning a remote lacme-accountd(1) instance. | Guilhem Moulin | 2021-02-20 | 3 |
| | | | | And add a test case for this. | |||
* | lacme-accountd: Don't error out when the default configuration file is missing. | Guilhem Moulin | 2021-02-20 | 2 |
| | | | | | Instead, treat it as an empty file. This makes it possible to use lacme-accountd(1) without configuration file under ~/.config/lacme. | |||
* | Add tests for OpenSSL- and GnuPG-encrypted account keys. | Guilhem Moulin | 2021-02-20 | 3 |
| | | | | These tests are not interactive! | |||
* | lacme: Preserve $GPG_TTY when spawning the accountd. | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | This is needed for gpg-encrypted privkeys. | |||
* | Deprecate setting 'privkey' in [accountd] section of the lacme(8) ↵ | Guilhem Moulin | 2021-02-20 | 5 |
| | | | | | | | configuration file. One need to use the lacme-accountd(1) configuration file for that instead. | |||
* | lacme(8)'s 'config' option in the [accountd] section no longer have a ↵ | Guilhem Moulin | 2021-02-20 | 4 |
| | | | | | | | | default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. | |||
* | Add test suite against Let's Encrypt's staging environment. | Guilhem Moulin | 2021-02-20 | 15 |
| | | | | https://letsencrypt.org/docs/staging-environment/ | |||
* | Update staging hierarchy. | Guilhem Moulin | 2021-02-20 | 9 |
| | | | | Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 . | |||
* | Use File::Basename::dirname(). | Guilhem Moulin | 2021-02-20 | 4 |
| | | | | | | To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’. | |||
* | accountd: replace internal option --conn-fd=FD with flag --stdio. | Guilhem Moulin | 2021-02-18 | 4 |
| | | | | | Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. | |||
* | Split client/webserver/accountd commands on whitespace. | Guilhem Moulin | 2021-02-18 | 4 |
| | | | | This doesn't change the default behavior. |