aboutsummaryrefslogtreecommitdiffstats
path: root/client
Commit message (Collapse)AuthorAgeFiles
* Prepare new release v0.8.2.v0.8.2Guilhem Moulin2023-04-251
|
* client: Handle "ready" → "processing" → "valid" status change during ↵Guilhem Moulin2023-04-251
| | | | | | | | | | | | | | | newOrder. Instead of just "ready" → "valid", which may be what we observe when the server is fast enough, but according to RFC 8555 sec. 7.1.6 the state actually transitions via "processing" state and we need to account for that. It appears Let's Encrypt staging environment now has different timing conditions and lacme is unable to request certificates due to this issue. Thanks to Alexander Borkowski for the report!
* Prepare new release v0.8.1.v0.8.1Guilhem Moulin2023-01-251
|
* lacme: pass a temporary JSON file with the client configuration to the ↵Guilhem Moulin2021-02-251
| | | | | | | | | internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client.
* lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵Guilhem Moulin2021-02-241
| | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files.
* Consolidate error messages.Guilhem Moulin2021-02-231
|
* Prepare new release v0.8.0.v0.8.0Guilhem Moulin2021-02-221
|
* client: Print Terms of Service URL for 'account' command.Guilhem Moulin2021-02-221
|
* lacme-accountd(1): new setting 'keyid'.Guilhem Moulin2021-02-221
| | | | | This saves a round trip and provides a safeguard against malicious clients.
* accountd: Pass JWA and JWK thumbprint via extended greeting data.Guilhem Moulin2021-02-211
| | | | | | | | | | | | | | | Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests.
* Make the ACME API server URL configurable at build time.Guilhem Moulin2021-02-211
|
* Consolidate error messages for consistency.Guilhem Moulin2021-02-181
|
* client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings.Guilhem Moulin2021-02-181
| | | | When the accountd socket can't be reached.
* client: use "lacme-client/$VERSION" as User-Agent header.Guilhem Moulin2021-02-181
|
* typofixGuilhem Moulin2021-02-181
|
* Bump copyright years.Guilhem Moulin2021-02-151
|
* client: fail immediately when the accountd is unreachable.Guilhem Moulin2021-02-121
|
* Replace Types::Serialiser::true with JSON::true.Guilhem Moulin2021-02-121
| | | | This removes the dependency on Types::Serialiser.
* Raise client timeout from 10 to 30s.Guilhem Moulin2021-02-121
|
* Use upstream certicate chain instead of an hardcoded one.upstream/0.7Guilhem Moulin2020-11-261
| | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).
* Upgrade links to secure HTTP.Guilhem Moulin2020-08-041
|
* lacme: new option 'account --deactivate'Guilhem Moulin2019-08-211
| | | | For client-initiated account deactivation. See RFC 8555 sec. 7.3.6.
* Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)Guilhem Moulin2019-08-211
| | | | | For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1.
* Link to RFC 8555 instead of the ACME I-D URL.Guilhem Moulin2019-08-211
|
* lacme, client: new dependency Date::Parse.Guilhem Moulin2019-01-211
|
* client: poll order URL instead of each authz URL successively.Guilhem Moulin2019-01-211
| | | | We were blocking on https://github.com/letsencrypt/boulder/issues/3530 .
* Use ACME v2 endpointsGuilhem Moulin2018-04-271
| | | | https://tools.ietf.org/html/draft-ietf-acme-acme-12
* Update copyright infoupstream/0.3Guilhem Moulin2017-07-091
|
* Specify minimum required Perl versions.Guilhem Moulin2017-07-011
|
* Ensure fdopen is called with an integer.Guilhem Moulin2017-07-011
|
* Remove potential race when creating ACME challenge response files.Guilhem Moulin2017-06-291
|
* wibbleGuilhem Moulin2017-02-191
|
* Honor Retry-After headers for certificate issuance and challenge responses.Guilhem Moulin2016-06-301
|
* More useful message upon Validation Challenge failure.Guilhem Moulin2016-06-301
| | | | | Format the problem document if the JSON has an “error” key. Cf. section 7 “Identifier Validation Challenges”.
* Add the short description in headers and manpages.Guilhem Moulin2016-06-141
|
* accountd: Don't mention "Let's Encrypt" in log messages.Guilhem Moulin2016-06-141
|
* Rename ‘letsencrypt-tiny’ to ‘lacme’.Guilhem Moulin2016-06-131
|
* Refactoring to use the account key manager.Guilhem Moulin2016-03-021
|
* acme-slave → client; acme-webserver → webserverGuilhem Moulin2015-12-181