aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* Backport upstream patches to fix fix post-issuance validation logic.Guilhem Moulin2024-06-133
| | | | | | As well as the upstream test suite. Closes: #1072847
* Update changelog for 0.8.0-2+deb12u1 releasedebian/0.8.0-2+deb11u1Guilhem Moulin2023-04-281
|
* d/gbp.conf: Set 'debian-branch = debian/bullseye'.Guilhem Moulin2023-04-281
|
* client: Handle "ready" → "processing" → "valid" status change during ↵Guilhem Moulin2023-04-282
| | | | | | | | | | | | | | | | | newOrder. Instead of just "ready" → "valid", which may be what we observe when the server is fast enough, but according to RFC 8555 sec. 7.1.6 the state actually transitions via "processing" state and we need to account for that. It appears Let's Encrypt staging environment now has different timing conditions and lacme is unable to request certificates due to this issue. Cherry-picked from 53238c70f7a12e233a6ca83cf2b50168e5b9592e. Closes: #1034834
* Prepare new release.debian/0.8.0-2Guilhem Moulin2021-05-041
|
* d/lacme.postrm: Don't delete system users on purge.Guilhem Moulin2021-02-222
| | | | | | | _lacme-www shouldn't own any file or directories, but there might be files on disk owned by _lacme-client when 'challenge-directory' is used. See https://wiki.debian.org/AccountHandlingInMaintainerScripts#Reasons_for_not_deleting_accounts .
* Prepare new release.debian/0.8.0-1Guilhem Moulin2021-02-223
|
* d/lacme.install: include new configuration files and snippets.Guilhem Moulin2021-02-222
|
* d/lacme.links: Remove /etc/apache2/conf-available/lacme.conf.Guilhem Moulin2021-02-222
| | | | Now part of the upstream build system.
* Add NEWS files with breaking changes.Guilhem Moulin2021-02-222
|
* d/control: Remove versioned Recommends: on lacme-accountd.Guilhem Moulin2021-02-222
| | | | | lacme also works with earlier accountds, but might yield bad suprises when the 'keyid' setting is set.
* d/copyright: Point Source: to the upstream repository.Guilhem Moulin2021-02-222
|
* d/copyright: Bump copyright years.Guilhem Moulin2021-02-221
|
* Bump copyright years.Guilhem Moulin2021-02-221
|
* d/control: lacme now require openssl 1.1.0 or later.Guilhem Moulin2021-02-222
|
* d/control: Remove libtypes-serialiser-perl from lacme's Depends.Guilhem Moulin2021-02-222
| | | | See b54d248515357297d84a01cf45a42a6787c21240.
* Bump upstream version number.Guilhem Moulin2021-02-221
|
* Use dedicated system users for internal components.Guilhem Moulin2021-02-225
| | | | | | | | | | | | * The internal webserver now runs as a dedicated system user _lacme-www (and group nogroup) instead of www-data:www-data. This is configurable in the [webserver] section of the lacme(8) configuration file. * The internal ACME client now runs as a dedicated system user _lacme-client (and group nogroup) instead of nobody:nogroup. This is configurable in the [client] section of the lacme(8) configuration file. * The _lacme-www and _lacme-client system users are created automatically by lacme.postinst (hence a new Depends: adduser), and deleted on purge. (So make sure not to chown any file to these internal users.)
* Refresh patches.Guilhem Moulin2021-02-222
| | | | And add "Forwarded: not-needed" annotations when relevant.
* Merge tag 'v0.8.0' into debian/latestGuilhem Moulin2021-02-2248
|\ | | | | | | Release version 0.8.0
| * Prepare new release v0.8.0.v0.8.0Guilhem Moulin2021-02-224
| |
| * tests: Check presence of extra greeting data.Guilhem Moulin2021-02-221
| |
| * Fix `./test --deb`.Guilhem Moulin2021-02-223
| | | | | | | | The staging environment wasn't set properly for the Debian packages.
| * Print error messages only once.Guilhem Moulin2021-02-221
| |
| * space damageGuilhem Moulin2021-02-221
| |
| * client: Print Terms of Service URL for 'account' command.Guilhem Moulin2021-02-222
| |
| * logfile: treat empty values as unset.Guilhem Moulin2021-02-221
| |
| * Add 'logfile' to lacme-account.conf.Guilhem Moulin2021-02-221
| |
| * lacme-accountd(1): new setting 'keyid'.Guilhem Moulin2021-02-226
| | | | | | | | | | This saves a round trip and provides a safeguard against malicious clients.
| * accountd: Improve log message for incoming requests.Guilhem Moulin2021-02-213
| |
| * accountd: Pass JWA and JWK thumbprint via extended greeting data.Guilhem Moulin2021-02-213
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests.
| * Add IPC tests with an old lacme(8) resp. lacme-accountd(1).Guilhem Moulin2021-02-212
| |
| * wordingGuilhem Moulin2021-02-215
| |
| * wordingGuilhem Moulin2021-02-212
| |
| * accountd: Fix prototype.Guilhem Moulin2021-02-211
| |
| * test suite: Don't try to show stderr if it's empty.Guilhem Moulin2021-02-211
| |
| * test suite: Indicate which tests have passed.Guilhem Moulin2021-02-211
| |
| * Make the ACME API server URL configurable at build time.Guilhem Moulin2021-02-215
| |
| * lacme-accountd: new setting 'logfile' to log signature requests.Guilhem Moulin2021-02-218
| | | | | | | | Prefixed with a timestamp.
| * lacme-accountd(1): base64url-decode incoming signature requests.Guilhem Moulin2021-02-212
| | | | | | | | Before printing them to the standard error.
| * Documentation: Wrap commands in `…`.Guilhem Moulin2021-02-201
| |
| * Document `lacme-accountd --stdio`.Guilhem Moulin2021-02-204
| | | | | | | | | | It's an internal flag, but can be useful for authorized_keys(5) restrictions.
| * Add %-specifiers support.Guilhem Moulin2021-02-2011
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore.
| * Wording: s/option/setting/.Guilhem Moulin2021-02-204
| |
| * wibbleGuilhem Moulin2021-02-201
| |
| * typofixGuilhem Moulin2021-02-201
| |
| * Remove dependency on List::Util (core module).Guilhem Moulin2021-02-203
| |
| * Use real UID not effective UID in environment sanitation.Guilhem Moulin2021-02-201
| | | | | | | | Not that it make a difference since we don't run suid.
| * Symlink $(sysconfdir)/apache2/conf-available/lacme.conf → ↵Guilhem Moulin2021-02-202
| | | | | | | | | | | | | | ../../lacme/apache2.conf. This is useful for enabling the snippet with `a2enconf lacme`, cf. https://bugs.debian.org/955859 .
| * Makefile wibbleGuilhem Moulin2021-02-201
| |