aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* lacme: new flag `--force`.Guilhem Moulin2020-12-093
| | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates.
* Make unprivileged user/group for the internal client resp. webserver ↵Guilhem Moulin2020-12-095
| | | | configurable.
* s/\.pem$/.crt/Guilhem Moulin2020-12-091
|
* Fix broken URLs.Guilhem Moulin2020-12-091
|
* documentation: emphasize default values in the config file.Guilhem Moulin2020-12-093
| | | | | Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section.
* documentation: clarify that "file:/path/to/account.key" can point to a ↵Guilhem Moulin2020-12-093
| | | | symmetrically-encrypted private key.
* wibbleGuilhem Moulin2020-12-092
|
* documentation: suggest to generate private key material with genpkey(1ssl).Guilhem Moulin2020-12-094
| | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported.
* lacme: delay webserver socket shutdown.Guilhem Moulin2020-12-092
| | | | | | | | | | | To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458
* Use upstream certicate chain instead of an hardcoded one.upstream/0.7Guilhem Moulin2020-11-2614
| | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).
* README: Link to /man/lacme.8.htmlGuilhem Moulin2020-08-041
|
* Improve long command wrapping.Guilhem Moulin2020-08-041
|
* New release 0.6.1upstream/0.6.1Guilhem Moulin2020-08-041
|
* Upgrade links to secure HTTP.Guilhem Moulin2020-08-047
|
* Ignore [accountd] section from lacme.conf when the --socket option is defined.Guilhem Moulin2020-08-044
| | | | | This allows remotely-controlled lacme processes being controlled without modifying an config files. See https://bugs.debian.org/955767 .
* Makefile: Use variables for target directories etc.Guilhem Moulin2020-08-0411
|
* Adapt Apache2 snippet to Apache2 2.4.Guilhem Moulin2020-08-042
|
* Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.Guilhem Moulin2020-08-035
|
* Install lacme manpage to section 8.Guilhem Moulin2020-08-036
| | | | As it's a system command, see hier(7) for details.
* Makefile: Major refactoring, add install and uninstall targets.Guilhem Moulin2020-08-035
| | | | Honor BUILD_DOCDIR and DESTDIR variables.
* factor out jq-script from MakefileBenjamin Tietz2020-08-032
| | | | the script is just a plain copy, but now accessible without make
* Use /run for the listening socket of the webserver component.Guilhem Moulin2019-08-226
|
* New release 0.6.upstream/0.6Guilhem Moulin2019-08-211
|
* lacme: new option 'account --deactivate'Guilhem Moulin2019-08-213
| | | | For client-initiated account deactivation. See RFC 8555 sec. 7.3.6.
* Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)Guilhem Moulin2019-08-212
| | | | | For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1.
* Link to RFC 8555 instead of the ACME I-D URL.Guilhem Moulin2019-08-214
|
* Call iptables binaries from /usr/sbin not /sbin.Guilhem Moulin2019-08-212
| | | | | | | As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. See /usr/share/doc/iptables/NEWS.Debian.gz .
* [git] ignore vims' swapfilesBenjamin Tietz2019-01-211
|
* lacme, client: new dependency Date::Parse.Guilhem Moulin2019-01-213
|
* client: poll order URL instead of each authz URL successively.Guilhem Moulin2019-01-213
| | | | We were blocking on https://github.com/letsencrypt/boulder/issues/3530 .
* New dependency: perl module Types::Serialiserupstream/0.5Guilhem Moulin2018-05-091
|
* Use ACME v2 endpointsGuilhem Moulin2018-04-276
| | | | https://tools.ietf.org/html/draft-ietf-acme-acme-12
* Fix manpage generation with pandoc >=2.1Guilhem Moulin2018-04-262
|
* Copy snippets/*.conf to /etc/lacmeupstream/0.4Guilhem Moulin2017-07-282
|
* Fix generation of manpages with pandoc >=1.18Guilhem Moulin2017-07-282
|
* Update copyright infoupstream/0.3Guilhem Moulin2017-07-096
|
* Bind webserver to /var/run/lacme-www.socket by default.Guilhem Moulin2017-07-086
|
* mv config/{apache2.conf,nginx.conf} snippets/Guilhem Moulin2017-07-082
|
* lacme: Specify minimum required Socket version 1.95.Guilhem Moulin2017-07-012
|
* Specify minimum required Perl versions.Guilhem Moulin2017-07-015
|
* Avoid hash slices.Guilhem Moulin2017-07-011
| | | | That's mostly what prevents us from supporting Perl older than 5.20.
* Ensure fdopen is called with an integer.Guilhem Moulin2017-07-014
|
* wibbleGuilhem Moulin2017-06-301
|
* Improve docs.Guilhem Moulin2017-06-291
|
* Provide apache2 configuration snippet.Guilhem Moulin2017-06-293
|
* webserver: improve serving logic for ACME challenge responses.Guilhem Moulin2017-06-291
| | | | | In particular, we now return "403 Forbidden" for /.well-known/acme-challenge/
* webserver: open ACME challenge files with O_NOFOLLOW.Guilhem Moulin2017-06-291
|
* Remove potential race when creating ACME challenge response files.Guilhem Moulin2017-06-292
|
* lacme(1), lacme-accountd(1): fix version number.Guilhem Moulin2017-06-293
|
* webserver: refuse to follow symlink when serving ACME challenge responses.Guilhem Moulin2017-06-293
|