Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Prepare new release v0.8.3.v0.8.3 | Guilhem Moulin | 2024-06-13 | 1 |
| | ||||
* | Prepare new release v0.8.2.v0.8.2 | Guilhem Moulin | 2023-04-25 | 1 |
| | ||||
* | client: Handle "ready" → "processing" → "valid" status change during ↵ | Guilhem Moulin | 2023-04-25 | 1 |
| | | | | | | | | | | | | | | | newOrder. Instead of just "ready" → "valid", which may be what we observe when the server is fast enough, but according to RFC 8555 sec. 7.1.6 the state actually transitions via "processing" state and we need to account for that. It appears Let's Encrypt staging environment now has different timing conditions and lacme is unable to request certificates due to this issue. Thanks to Alexander Borkowski for the report! | |||
* | Prepare new release v0.8.1.v0.8.1 | Guilhem Moulin | 2023-01-25 | 1 |
| | ||||
* | lacme: pass a temporary JSON file with the client configuration to the ↵ | Guilhem Moulin | 2021-02-25 | 1 |
| | | | | | | | | | internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client. | |||
* | lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵ | Guilhem Moulin | 2021-02-24 | 1 |
| | | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files. | |||
* | Consolidate error messages. | Guilhem Moulin | 2021-02-23 | 1 |
| | ||||
* | Prepare new release v0.8.0.v0.8.0 | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | client: Print Terms of Service URL for 'account' command. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | lacme-accountd(1): new setting 'keyid'. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | | This saves a round trip and provides a safeguard against malicious clients. | |||
* | accountd: Pass JWA and JWK thumbprint via extended greeting data. | Guilhem Moulin | 2021-02-21 | 1 |
| | | | | | | | | | | | | | | | Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests. | |||
* | Make the ACME API server URL configurable at build time. | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | Consolidate error messages for consistency. | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings. | Guilhem Moulin | 2021-02-18 | 1 |
| | | | | When the accountd socket can't be reached. | |||
* | client: use "lacme-client/$VERSION" as User-Agent header. | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | typofix | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | Bump copyright years. | Guilhem Moulin | 2021-02-15 | 1 |
| | ||||
* | client: fail immediately when the accountd is unreachable. | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | Replace Types::Serialiser::true with JSON::true. | Guilhem Moulin | 2021-02-12 | 1 |
| | | | | This removes the dependency on Types::Serialiser. | |||
* | Raise client timeout from 10 to 30s. | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | Use upstream certicate chain instead of an hardcoded one.upstream/0.7 | Guilhem Moulin | 2020-11-26 | 1 |
| | | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). | |||
* | Upgrade links to secure HTTP. | Guilhem Moulin | 2020-08-04 | 1 |
| | ||||
* | lacme: new option 'account --deactivate' | Guilhem Moulin | 2019-08-21 | 1 |
| | | | | For client-initiated account deactivation. See RFC 8555 sec. 7.3.6. | |||
* | Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) | Guilhem Moulin | 2019-08-21 | 1 |
| | | | | | For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1. | |||
* | Link to RFC 8555 instead of the ACME I-D URL. | Guilhem Moulin | 2019-08-21 | 1 |
| | ||||
* | lacme, client: new dependency Date::Parse. | Guilhem Moulin | 2019-01-21 | 1 |
| | ||||
* | client: poll order URL instead of each authz URL successively. | Guilhem Moulin | 2019-01-21 | 1 |
| | | | | We were blocking on https://github.com/letsencrypt/boulder/issues/3530 . | |||
* | Use ACME v2 endpoints | Guilhem Moulin | 2018-04-27 | 1 |
| | | | | https://tools.ietf.org/html/draft-ietf-acme-acme-12 | |||
* | Update copyright infoupstream/0.3 | Guilhem Moulin | 2017-07-09 | 1 |
| | ||||
* | Specify minimum required Perl versions. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | Ensure fdopen is called with an integer. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | Remove potential race when creating ACME challenge response files. | Guilhem Moulin | 2017-06-29 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2017-02-19 | 1 |
| | ||||
* | Honor Retry-After headers for certificate issuance and challenge responses. | Guilhem Moulin | 2016-06-30 | 1 |
| | ||||
* | More useful message upon Validation Challenge failure. | Guilhem Moulin | 2016-06-30 | 1 |
| | | | | | Format the problem document if the JSON has an “error” key. Cf. section 7 “Identifier Validation Challenges”. | |||
* | Add the short description in headers and manpages. | Guilhem Moulin | 2016-06-14 | 1 |
| | ||||
* | accountd: Don't mention "Let's Encrypt" in log messages. | Guilhem Moulin | 2016-06-14 | 1 |
| | ||||
* | Rename ‘letsencrypt-tiny’ to ‘lacme’. | Guilhem Moulin | 2016-06-13 | 1 |
| | ||||
* | Refactoring to use the account key manager. | Guilhem Moulin | 2016-03-02 | 1 |
| | ||||
* | acme-slave → client; acme-webserver → webserver | Guilhem Moulin | 2015-12-18 | 1 |