Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
| * | Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge ↵ | Guilhem Moulin | 2021-02-18 | 2 | |
| | | | | | | | | directory. | ||||
| * | webserver: reopen stdin from /dev/null. | Guilhem Moulin | 2021-02-18 | 2 | |
| | | | | | | | | | | Having both lacme(8) and its webserver component reading from the same standard input could yield starvation. | ||||
| * | Split Nginx and Apapche2 static configuration snippets into seperate files. | Guilhem Moulin | 2021-02-18 | 5 | |
| | | | | | | | | | | | | That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything. | ||||
| * | Sanitize environment when spawning children. | Guilhem Moulin | 2021-02-18 | 2 | |
| | | | | | | | | | | Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and perserve $TERM), which matches the login(1) behavior. | ||||
| * | Consolidate error messages for consistency. | Guilhem Moulin | 2021-02-18 | 4 | |
| | | |||||
| * | client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings. | Guilhem Moulin | 2021-02-18 | 2 | |
| | | | | | | | | When the accountd socket can't be reached. | ||||
| * | Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. | Guilhem Moulin | 2021-02-18 | 2 | |
| | | |||||
| * | Don't load configuration files from ./ by default. | Guilhem Moulin | 2021-02-18 | 5 | |
| | | | | | | | | | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories. | ||||
| * | client: use "lacme-client/$VERSION" as User-Agent header. | Guilhem Moulin | 2021-02-18 | 3 | |
| | | |||||
| * | typofix | Guilhem Moulin | 2021-02-18 | 1 | |
| | | |||||
| * | Add certs-staging/fake*.pem for tests using the staging environment. | Guilhem Moulin | 2021-02-18 | 3 | |
| | | | | | | | | See https://letsencrypt.org/docs/staging-environment/ . | ||||
| * | typofix | Guilhem Moulin | 2021-02-15 | 1 | |
| | | |||||
| * | Makefile: new 'release' target. | Guilhem Moulin | 2021-02-15 | 1 | |
| | | |||||
| * | Add support for TLS Feature extension from RFC 7633. | Guilhem Moulin | 2021-02-15 | 3 | |
| | | | | | | | | This is mostly useful for OCSP Must-Staple. | ||||
| * | Add certs/letsencryptauthorityx[12].pem | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
| * | Bump copyright years. | Guilhem Moulin | 2021-02-15 | 5 | |
| | | |||||
| * | Add (self-signed) ISRG Roots to the CA bundle. | Guilhem Moulin | 2021-02-15 | 6 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options). | ||||
| * | Improve nginx/apache2 snippets for direct serving of challenge files. | Guilhem Moulin | 2021-02-14 | 3 | |
| | | | | | | | | With the new 'challenge-directory' logic symlinks can be disabled. | ||||
| * | challenge-directory now needs to be set to an *existing* directory. | Guilhem Moulin | 2021-02-14 | 5 | |
| | | | | | | | | | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. | ||||
| * | lacme: allow direct use challenge-directory .well-known/acme-challenge | Benjamin Tietz | 2021-02-14 | 3 | |
| | | |||||
| * | Rename debian branch to debian/latest. | Guilhem Moulin | 2021-02-14 | 1 | |
| | | | | | | | | For DEP-14 compliance. | ||||
| * | Improve user/group documentation. | Guilhem Moulin | 2021-02-12 | 1 | |
| | | |||||
| * | Improve keyUsage documentation. | Guilhem Moulin | 2021-02-12 | 2 | |
| | | |||||
| * | wibble | Guilhem Moulin | 2021-02-12 | 1 | |
| | | |||||
| * | client: fail immediately when the accountd is unreachable. | Guilhem Moulin | 2021-02-12 | 2 | |
| | | |||||
| * | Replace Types::Serialiser::true with JSON::true. | Guilhem Moulin | 2021-02-12 | 3 | |
| | | | | | | | | This removes the dependency on Types::Serialiser. | ||||
| * | Raise client timeout from 10 to 30s. | Guilhem Moulin | 2021-02-12 | 4 | |
| | | |||||
| * | lacme: new flag `--force`. | Guilhem Moulin | 2020-12-09 | 3 | |
| | | | | | | | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. | ||||
| * | Make unprivileged user/group for the internal client resp. webserver ↵ | Guilhem Moulin | 2020-12-09 | 5 | |
| | | | | | | | | configurable. | ||||
| * | s/\.pem$/.crt/ | Guilhem Moulin | 2020-12-09 | 1 | |
| | | |||||
| * | Fix broken URLs. | Guilhem Moulin | 2020-12-09 | 1 | |
| | | |||||
| * | documentation: emphasize default values in the config file. | Guilhem Moulin | 2020-12-09 | 3 | |
| | | | | | | | | | | Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. | ||||
| * | documentation: clarify that "file:/path/to/account.key" can point to a ↵ | Guilhem Moulin | 2020-12-09 | 3 | |
| | | | | | | | | symmetrically-encrypted private key. | ||||
| * | wibble | Guilhem Moulin | 2020-12-09 | 2 | |
| | | |||||
| * | documentation: suggest to generate private key material with genpkey(1ssl). | Guilhem Moulin | 2020-12-09 | 4 | |
| | | | | | | | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported. | ||||
| * | lacme: delay webserver socket shutdown. | Guilhem Moulin | 2020-12-09 | 2 | |
| | | | | | | | | | | | | | | | | | | | | | | To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458 | ||||
* | | Add d/upstream/metadata with Repository and Repository-Browse. | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | d/.gitattributes: New file to merge d/changelog with dpkg-mergechangelogs(1). | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | Add debian/salsa-ci.yml file. | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | d/control: Point Vcs-* to salsa. | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | d/gbp.conf: Update debian and upstream branches in compliance with DEP-14. | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | d/gbp.conf: Update upstream tag template. | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | Add d/watch pointing to the upstream repository. | Guilhem Moulin | 2021-02-15 | 3 | |
| | | |||||
* | | d/control: Bump Standards-Version to 4.5.1 (no changes necessary). | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | Add d/upstream/signing-key.asc, the OpenPGP used to signed upstream tags. | Guilhem Moulin | 2021-02-15 | 2 | |
| | | |||||
* | | New lacme-accountd Suggests: openssl, gpg. | Guilhem Moulin | 2020-12-09 | 2 | |
| | | | | | | | | For account key generation using genpkey(1ssl) resp. decryption. | ||||
* | | New upstream release.debian/0.7-1 | Guilhem Moulin | 2020-11-26 | 3 | |
| | | | | | | | | Closes: #975862. | ||||
* | | Merge tag 'upstream/0.7' into debian | Guilhem Moulin | 2020-11-26 | 16 | |
|\| | | | | | | | New release 0.7 | ||||
| * | Use upstream certicate chain instead of an hardcoded one.upstream/0.7 | Guilhem Moulin | 2020-11-26 | 14 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). | ||||
| * | README: Link to /man/lacme.8.html | Guilhem Moulin | 2020-08-04 | 1 | |
| | |