aboutsummaryrefslogtreecommitdiffstats
path: root/Changelog
Commit message (Collapse)AuthorAgeFiles
* lacme: Don't write certificate(-chain) file on chown/chmod failure.Guilhem Moulin2021-02-241
| | | | | | | | | Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too.
* If restricting access via umask() fails, don't include errno in the error ↵Guilhem Moulin2021-02-241
| | | | | | | message. errno is not set on umask failure, see https://perldoc.perl.org/functions/umask.
* lacme: Ignore empty values in 'chown'/'chmod'/'certificate'/'certificate-chain'.Guilhem Moulin2021-02-241
|
* tests/cert-install: Include tests for failing chown(2).Guilhem Moulin2021-02-241
| | | | Due to unknown user/group name.
* tests/drop-privileges: Ensure failure to drop privileges yields an error.Guilhem Moulin2021-02-241
| | | | And doesn't retain root privileges.
* lacme: When getpwnam()/getgrnam()'s errno is 0, exclude it from error messages.Guilhem Moulin2021-02-241
|
* lacme-accountd: Refactor logging logic.Guilhem Moulin2021-02-231
|
* lacme-accountd: don't log debug messages unless --debug is set.Guilhem Moulin2021-02-231
|
* lacme-accountd: Refuse to sign JWS with an invalid Protected Header.Guilhem Moulin2021-02-221
| | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2.
* lacme-account: Improve log messages.Guilhem Moulin2021-02-221
| | | | Again…
* In lacme's the [accountd] config, let lacme-accountd(1) do the %-expansion ↵Guilhem Moulin2021-02-221
| | | | | | | | for 'config'. This matches the arguably expected behavior that ‘config = %h/foo’ is passed as ‘--config=%h/foo’ and resolved by lacme-accountd(1) (possibly remote and with another passwd database).
* Prepare new release v0.8.0.v0.8.0Guilhem Moulin2021-02-221
|
* client: Print Terms of Service URL for 'account' command.Guilhem Moulin2021-02-221
|
* lacme-accountd(1): new setting 'keyid'.Guilhem Moulin2021-02-221
| | | | | This saves a round trip and provides a safeguard against malicious clients.
* accountd: Pass JWA and JWK thumbprint via extended greeting data.Guilhem Moulin2021-02-211
| | | | | | | | | | | | | | | Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests.
* lacme-accountd: new setting 'logfile' to log signature requests.Guilhem Moulin2021-02-211
| | | | Prefixed with a timestamp.
* lacme-accountd(1): base64url-decode incoming signature requests.Guilhem Moulin2021-02-211
| | | | Before printing them to the standard error.
* Document `lacme-accountd --stdio`.Guilhem Moulin2021-02-201
| | | | | It's an internal flag, but can be useful for authorized_keys(5) restrictions.
* Add %-specifiers support.Guilhem Moulin2021-02-201
| | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore.
* Remove dependency on List::Util (core module).Guilhem Moulin2021-02-201
|
* Deprecate setting 'privkey' in [accountd] section of the lacme(8) ↵Guilhem Moulin2021-02-201
| | | | | | | configuration file. One need to use the lacme-accountd(1) configuration file for that instead.
* lacme(8)'s 'config' option in the [accountd] section no longer have a ↵Guilhem Moulin2021-02-201
| | | | | | | | default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file.
* Add test suite against Let's Encrypt's staging environment.Guilhem Moulin2021-02-201
| | | | https://letsencrypt.org/docs/staging-environment/
* Use File::Basename::dirname().Guilhem Moulin2021-02-201
| | | | | | To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’.
* accountd: replace internal option --conn-fd=FD with flag --stdio.Guilhem Moulin2021-02-181
| | | | | Using stdin/stdout makes it possible to tunnel the accountd connection through ssh.
* Split client/webserver/accountd commands on whitespace.Guilhem Moulin2021-02-181
| | | | This doesn't change the default behavior.
* Set the DEBUG environment variable to 0/1 instead of ""/1.Guilhem Moulin2021-02-181
|
* Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge ↵Guilhem Moulin2021-02-181
| | | | directory.
* webserver: reopen stdin from /dev/null.Guilhem Moulin2021-02-181
| | | | | Having both lacme(8) and its webserver component reading from the same standard input could yield starvation.
* Split Nginx and Apapche2 static configuration snippets into seperate files.Guilhem Moulin2021-02-181
| | | | | | That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything.
* Sanitize environment when spawning children.Guilhem Moulin2021-02-181
| | | | | Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and perserve $TERM), which matches the login(1) behavior.
* Consolidate error messages for consistency.Guilhem Moulin2021-02-181
|
* client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings.Guilhem Moulin2021-02-181
| | | | When the accountd socket can't be reached.
* Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme.Guilhem Moulin2021-02-181
|
* Don't load configuration files from ./ by default.Guilhem Moulin2021-02-181
| | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories.
* client: use "lacme-client/$VERSION" as User-Agent header.Guilhem Moulin2021-02-181
|
* Add support for TLS Feature extension from RFC 7633.Guilhem Moulin2021-02-151
| | | | This is mostly useful for OCSP Must-Staple.
* Add (self-signed) ISRG Roots to the CA bundle.Guilhem Moulin2021-02-151
| | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
* Improve nginx/apache2 snippets for direct serving of challenge files.Guilhem Moulin2021-02-141
| | | | With the new 'challenge-directory' logic symlinks can be disabled.
* challenge-directory now needs to be set to an *existing* directory.Guilhem Moulin2021-02-141
| | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale.
* client: fail immediately when the accountd is unreachable.Guilhem Moulin2021-02-121
|
* Replace Types::Serialiser::true with JSON::true.Guilhem Moulin2021-02-121
| | | | This removes the dependency on Types::Serialiser.
* Raise client timeout from 10 to 30s.Guilhem Moulin2021-02-121
|
* lacme: new flag `--force`.Guilhem Moulin2020-12-091
| | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates.
* Make unprivileged user/group for the internal client resp. webserver ↵Guilhem Moulin2020-12-091
| | | | configurable.
* documentation: emphasize default values in the config file.Guilhem Moulin2020-12-091
| | | | | Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section.
* documentation: clarify that "file:/path/to/account.key" can point to a ↵Guilhem Moulin2020-12-091
| | | | symmetrically-encrypted private key.
* documentation: suggest to generate private key material with genpkey(1ssl).Guilhem Moulin2020-12-091
| | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported.
* lacme: delay webserver socket shutdown.Guilhem Moulin2020-12-091
| | | | | | | | | | | To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458
* Use upstream certicate chain instead of an hardcoded one.upstream/0.7Guilhem Moulin2020-11-261
| | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).