| Commit message (Collapse) | Author | Age | Files |
... | |
|
|
|
|
| |
It's an internal flag, but can be useful for authorized_keys(5)
restrictions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).
lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).
This also changes the default configuration file location. lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user. There is no fallback to /etc anymore.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Not that it make a difference since we don't run suid.
|
|
|
|
|
|
|
| |
../../lacme/apache2.conf.
This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 .
|
| |
|
|
|
|
| |
And add a test case for this.
|
|
|
|
|
| |
Instead, treat it as an empty file. This makes it possible to use
lacme-accountd(1) without configuration file under ~/.config/lacme.
|
|
|
|
| |
These tests are not interactive!
|
|
|
|
| |
This is needed for gpg-encrypted privkeys.
|
|
|
|
|
|
|
| |
configuration file.
One need to use the lacme-accountd(1) configuration file for that
instead.
|
|
|
|
|
|
|
|
| |
default value.
The previous default, namely /etc/lacme/lacme-accountd.conf, is still
honored when there is the user running lacme doesn't have a
~/.config/lacme/lacme-account.conf configuration file.
|
|
|
|
| |
https://letsencrypt.org/docs/staging-environment/
|
|
|
|
| |
Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 .
|
|
|
|
|
|
| |
To correctly extract the parent directory of the socket path. The
previous returned an empty string when the socket path didn't contain
‘/’.
|
|
|
|
|
| |
Using stdin/stdout makes it possible to tunnel the accountd connection
through ssh.
|
|
|
|
| |
This doesn't change the default behavior.
|
| |
|
|
|
|
| |
directory.
|
|
|
|
|
| |
Having both lacme(8) and its webserver component reading from the same
standard input could yield starvation.
|
|
|
|
|
|
| |
That way users prefering that over reverse-proxying can just
source/enable the relevant files without having to uncomment
anything.
|
|
|
|
|
| |
Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and
perserve $TERM), which matches the login(1) behavior.
|
| |
|
|
|
|
| |
When the accountd socket can't be reached.
|
| |
|
|
|
|
|
|
|
| |
This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer
consider ./lacme.conf resp. ./lacme-accountd.conf as default location
for the configuration file. Doing so has security implications when
running these program from insecure directories.
|
| |
|
| |
|
|
|
|
| |
See https://letsencrypt.org/docs/staging-environment/ .
|
| |
|
| |
|
|
|
|
| |
This is mostly useful for OCSP Must-Staple.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to fully validate provided X.509 chains using that
self-contained bundle, regardless of which CAs is marqued as trusted
under /etc/ssl/certs.
Also, remove cross-signed intermediate CAs from the bundle as they're
useless in a self-contained bundle.
Also, remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.
This change bumps the minimum OpenSSL version to 1.1.0 (for
verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
|
|
|
|
| |
With the new 'challenge-directory' logic symlinks can be disabled.
|
|
|
|
|
|
|
| |
Since lacme(8) spawns a builtin webserver by default the change doesn't
affect default configurations.
See https://bugs.debian.org/970800 for the rationale.
|
| |
|
|
|
|
| |
For DEP-14 compliance.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This removes the dependency on Types::Serialiser.
|
| |
|
|
|
|
|
| |
Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the
expiration date of existing certificates.
|
|
|
|
| |
configurable.
|