Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Consolidate error messages for consistency. | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings. | Guilhem Moulin | 2021-02-18 | 1 |
| | | | | When the accountd socket can't be reached. | |||
* | Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | Don't load configuration files from ./ by default. | Guilhem Moulin | 2021-02-18 | 1 |
| | | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories. | |||
* | client: use "lacme-client/$VERSION" as User-Agent header. | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | Add support for TLS Feature extension from RFC 7633. | Guilhem Moulin | 2021-02-15 | 1 |
| | | | | This is mostly useful for OCSP Must-Staple. | |||
* | Add (self-signed) ISRG Roots to the CA bundle. | Guilhem Moulin | 2021-02-15 | 1 |
| | | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options). | |||
* | Improve nginx/apache2 snippets for direct serving of challenge files. | Guilhem Moulin | 2021-02-14 | 1 |
| | | | | With the new 'challenge-directory' logic symlinks can be disabled. | |||
* | challenge-directory now needs to be set to an *existing* directory. | Guilhem Moulin | 2021-02-14 | 1 |
| | | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. | |||
* | client: fail immediately when the accountd is unreachable. | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | Replace Types::Serialiser::true with JSON::true. | Guilhem Moulin | 2021-02-12 | 1 |
| | | | | This removes the dependency on Types::Serialiser. | |||
* | Raise client timeout from 10 to 30s. | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | lacme: new flag `--force`. | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. | |||
* | Make unprivileged user/group for the internal client resp. webserver ↵ | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | configurable. | |||
* | documentation: emphasize default values in the config file. | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | | Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. | |||
* | documentation: clarify that "file:/path/to/account.key" can point to a ↵ | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | symmetrically-encrypted private key. | |||
* | documentation: suggest to generate private key material with genpkey(1ssl). | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported. | |||
* | lacme: delay webserver socket shutdown. | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | | | | | | | | To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458 | |||
* | Use upstream certicate chain instead of an hardcoded one.upstream/0.7 | Guilhem Moulin | 2020-11-26 | 1 |
| | | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). | |||
* | New release 0.6.1upstream/0.6.1 | Guilhem Moulin | 2020-08-04 | 1 |
| | ||||
* | Ignore [accountd] section from lacme.conf when the --socket option is defined. | Guilhem Moulin | 2020-08-04 | 1 |
| | | | | | This allows remotely-controlled lacme processes being controlled without modifying an config files. See https://bugs.debian.org/955767 . | |||
* | Makefile: Use variables for target directories etc. | Guilhem Moulin | 2020-08-04 | 1 |
| | ||||
* | Adapt Apache2 snippet to Apache2 2.4. | Guilhem Moulin | 2020-08-04 | 1 |
| | ||||
* | Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme. | Guilhem Moulin | 2020-08-03 | 1 |
| | ||||
* | Install lacme manpage to section 8. | Guilhem Moulin | 2020-08-03 | 1 |
| | | | | As it's a system command, see hier(7) for details. | |||
* | Makefile: Major refactoring, add install and uninstall targets. | Guilhem Moulin | 2020-08-03 | 1 |
| | | | | Honor BUILD_DOCDIR and DESTDIR variables. | |||
* | Use /run for the listening socket of the webserver component. | Guilhem Moulin | 2019-08-22 | 1 |
| | ||||
* | New release 0.6.upstream/0.6 | Guilhem Moulin | 2019-08-21 | 1 |
| | ||||
* | lacme: new option 'account --deactivate' | Guilhem Moulin | 2019-08-21 | 1 |
| | | | | For client-initiated account deactivation. See RFC 8555 sec. 7.3.6. | |||
* | Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) | Guilhem Moulin | 2019-08-21 | 1 |
| | | | | | For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1. | |||
* | Link to RFC 8555 instead of the ACME I-D URL. | Guilhem Moulin | 2019-08-21 | 1 |
| | ||||
* | Call iptables binaries from /usr/sbin not /sbin. | Guilhem Moulin | 2019-08-21 | 1 |
| | | | | | | | As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. See /usr/share/doc/iptables/NEWS.Debian.gz . | |||
* | lacme, client: new dependency Date::Parse. | Guilhem Moulin | 2019-01-21 | 1 |
| | ||||
* | client: poll order URL instead of each authz URL successively. | Guilhem Moulin | 2019-01-21 | 1 |
| | | | | We were blocking on https://github.com/letsencrypt/boulder/issues/3530 . | |||
* | Use ACME v2 endpoints | Guilhem Moulin | 2018-04-27 | 1 |
| | | | | https://tools.ietf.org/html/draft-ietf-acme-acme-12 | |||
* | Fix manpage generation with pandoc >=2.1 | Guilhem Moulin | 2018-04-26 | 1 |
| | ||||
* | Copy snippets/*.conf to /etc/lacmeupstream/0.4 | Guilhem Moulin | 2017-07-28 | 1 |
| | ||||
* | Fix generation of manpages with pandoc >=1.18 | Guilhem Moulin | 2017-07-28 | 1 |
| | ||||
* | Update copyright infoupstream/0.3 | Guilhem Moulin | 2017-07-09 | 1 |
| | ||||
* | Bind webserver to /var/run/lacme-www.socket by default. | Guilhem Moulin | 2017-07-08 | 1 |
| | ||||
* | lacme: Specify minimum required Socket version 1.95. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | Specify minimum required Perl versions. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | Ensure fdopen is called with an integer. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | Provide apache2 configuration snippet. | Guilhem Moulin | 2017-06-29 | 1 |
| | ||||
* | Remove potential race when creating ACME challenge response files. | Guilhem Moulin | 2017-06-29 | 1 |
| | ||||
* | lacme(1), lacme-accountd(1): fix version number. | Guilhem Moulin | 2017-06-29 | 1 |
| | ||||
* | webserver: refuse to follow symlink when serving ACME challenge responses. | Guilhem Moulin | 2017-06-29 | 1 |
| | ||||
* | Provide nginx configuration snippet. | Guilhem Moulin | 2017-06-28 | 1 |
| | ||||
* | Change the default 'min-days' from 10 to 21. | Guilhem Moulin | 2017-06-28 | 1 |
| | | | | | | This avoids expiration notices from Let's Encrypt when auto-renewal is done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before expiration. | |||
* | webserver: allow listening to multiple addresses. | Guilhem Moulin | 2017-06-28 | 1 |
| | | | | | | | | | | (Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the default to listen to a UNIX-domain socket </var/run/lacme.socket>. Moreover temporary iptables rules are no longer installed. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. |