aboutsummaryrefslogtreecommitdiffstats
path: root/Changelog
Commit message (Collapse)AuthorAgeFiles
* lacme-accountd: new setting 'logfile' to log signature requests.Guilhem Moulin2021-02-211
| | | | Prefixed with a timestamp.
* lacme-accountd(1): base64url-decode incoming signature requests.Guilhem Moulin2021-02-211
| | | | Before printing them to the standard error.
* Document `lacme-accountd --stdio`.Guilhem Moulin2021-02-201
| | | | | It's an internal flag, but can be useful for authorized_keys(5) restrictions.
* Add %-specifiers support.Guilhem Moulin2021-02-201
| | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore.
* Remove dependency on List::Util (core module).Guilhem Moulin2021-02-201
|
* Deprecate setting 'privkey' in [accountd] section of the lacme(8) ↵Guilhem Moulin2021-02-201
| | | | | | | configuration file. One need to use the lacme-accountd(1) configuration file for that instead.
* lacme(8)'s 'config' option in the [accountd] section no longer have a ↵Guilhem Moulin2021-02-201
| | | | | | | | default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file.
* Add test suite against Let's Encrypt's staging environment.Guilhem Moulin2021-02-201
| | | | https://letsencrypt.org/docs/staging-environment/
* Use File::Basename::dirname().Guilhem Moulin2021-02-201
| | | | | | To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’.
* accountd: replace internal option --conn-fd=FD with flag --stdio.Guilhem Moulin2021-02-181
| | | | | Using stdin/stdout makes it possible to tunnel the accountd connection through ssh.
* Split client/webserver/accountd commands on whitespace.Guilhem Moulin2021-02-181
| | | | This doesn't change the default behavior.
* Set the DEBUG environment variable to 0/1 instead of ""/1.Guilhem Moulin2021-02-181
|
* Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge ↵Guilhem Moulin2021-02-181
| | | | directory.
* webserver: reopen stdin from /dev/null.Guilhem Moulin2021-02-181
| | | | | Having both lacme(8) and its webserver component reading from the same standard input could yield starvation.
* Split Nginx and Apapche2 static configuration snippets into seperate files.Guilhem Moulin2021-02-181
| | | | | | That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything.
* Sanitize environment when spawning children.Guilhem Moulin2021-02-181
| | | | | Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and perserve $TERM), which matches the login(1) behavior.
* Consolidate error messages for consistency.Guilhem Moulin2021-02-181
|
* client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings.Guilhem Moulin2021-02-181
| | | | When the accountd socket can't be reached.
* Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme.Guilhem Moulin2021-02-181
|
* Don't load configuration files from ./ by default.Guilhem Moulin2021-02-181
| | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories.
* client: use "lacme-client/$VERSION" as User-Agent header.Guilhem Moulin2021-02-181
|
* Add support for TLS Feature extension from RFC 7633.Guilhem Moulin2021-02-151
| | | | This is mostly useful for OCSP Must-Staple.
* Add (self-signed) ISRG Roots to the CA bundle.Guilhem Moulin2021-02-151
| | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
* Improve nginx/apache2 snippets for direct serving of challenge files.Guilhem Moulin2021-02-141
| | | | With the new 'challenge-directory' logic symlinks can be disabled.
* challenge-directory now needs to be set to an *existing* directory.Guilhem Moulin2021-02-141
| | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale.
* client: fail immediately when the accountd is unreachable.Guilhem Moulin2021-02-121
|
* Replace Types::Serialiser::true with JSON::true.Guilhem Moulin2021-02-121
| | | | This removes the dependency on Types::Serialiser.
* Raise client timeout from 10 to 30s.Guilhem Moulin2021-02-121
|
* lacme: new flag `--force`.Guilhem Moulin2020-12-091
| | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates.
* Make unprivileged user/group for the internal client resp. webserver ↵Guilhem Moulin2020-12-091
| | | | configurable.
* documentation: emphasize default values in the config file.Guilhem Moulin2020-12-091
| | | | | Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section.
* documentation: clarify that "file:/path/to/account.key" can point to a ↵Guilhem Moulin2020-12-091
| | | | symmetrically-encrypted private key.
* documentation: suggest to generate private key material with genpkey(1ssl).Guilhem Moulin2020-12-091
| | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported.
* lacme: delay webserver socket shutdown.Guilhem Moulin2020-12-091
| | | | | | | | | | | To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458
* Use upstream certicate chain instead of an hardcoded one.upstream/0.7Guilhem Moulin2020-11-261
| | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).
* New release 0.6.1upstream/0.6.1Guilhem Moulin2020-08-041
|
* Ignore [accountd] section from lacme.conf when the --socket option is defined.Guilhem Moulin2020-08-041
| | | | | This allows remotely-controlled lacme processes being controlled without modifying an config files. See https://bugs.debian.org/955767 .
* Makefile: Use variables for target directories etc.Guilhem Moulin2020-08-041
|
* Adapt Apache2 snippet to Apache2 2.4.Guilhem Moulin2020-08-041
|
* Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.Guilhem Moulin2020-08-031
|
* Install lacme manpage to section 8.Guilhem Moulin2020-08-031
| | | | As it's a system command, see hier(7) for details.
* Makefile: Major refactoring, add install and uninstall targets.Guilhem Moulin2020-08-031
| | | | Honor BUILD_DOCDIR and DESTDIR variables.
* Use /run for the listening socket of the webserver component.Guilhem Moulin2019-08-221
|
* New release 0.6.upstream/0.6Guilhem Moulin2019-08-211
|
* lacme: new option 'account --deactivate'Guilhem Moulin2019-08-211
| | | | For client-initiated account deactivation. See RFC 8555 sec. 7.3.6.
* Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)Guilhem Moulin2019-08-211
| | | | | For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1.
* Link to RFC 8555 instead of the ACME I-D URL.Guilhem Moulin2019-08-211
|
* Call iptables binaries from /usr/sbin not /sbin.Guilhem Moulin2019-08-211
| | | | | | | As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. See /usr/share/doc/iptables/NEWS.Debian.gz .
* lacme, client: new dependency Date::Parse.Guilhem Moulin2019-01-211
|
* client: poll order URL instead of each authz URL successively.Guilhem Moulin2019-01-211
| | | | We were blocking on https://github.com/letsencrypt/boulder/issues/3530 .