Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Prepare new release v0.8.3.v0.8.3 | Guilhem Moulin | 2024-06-13 | 1 |
| | ||||
* | Prepare new release v0.8.2.v0.8.2 | Guilhem Moulin | 2023-04-25 | 1 |
| | ||||
* | Prepare new release v0.8.1.v0.8.1 | Guilhem Moulin | 2023-01-25 | 1 |
| | ||||
* | If restricting access via umask() fails, don't include errno in the error ↵ | Guilhem Moulin | 2021-02-24 | 1 |
| | | | | | | | message. errno is not set on umask failure, see https://perldoc.perl.org/functions/umask. | |||
* | lacme-accountd: Refactor logging logic. | Guilhem Moulin | 2021-02-23 | 1 |
| | ||||
* | lacme-accountd: don't log debug messages unless --debug is set. | Guilhem Moulin | 2021-02-23 | 1 |
| | ||||
* | lacme-accountd: panic() upon internal error of the signing routine. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | It might croak and we want to log that error also. | |||
* | lacme-accountd: Refuse to sign JWS with an invalid Protected Header. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2. | |||
* | lacme-account: Improve log messages. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | Again… | |||
* | accountd::conn(): Minor refactoring. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | Prepare new release v0.8.0.v0.8.0 | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | Print error messages only once. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | logfile: treat empty values as unset. | Guilhem Moulin | 2021-02-22 | 1 |
| | ||||
* | lacme-accountd(1): new setting 'keyid'. | Guilhem Moulin | 2021-02-22 | 1 |
| | | | | | This saves a round trip and provides a safeguard against malicious clients. | |||
* | accountd: Improve log message for incoming requests. | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | accountd: Pass JWA and JWK thumbprint via extended greeting data. | Guilhem Moulin | 2021-02-21 | 1 |
| | | | | | | | | | | | | | | | Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests. | |||
* | wording | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | wording | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | accountd: Fix prototype. | Guilhem Moulin | 2021-02-21 | 1 |
| | ||||
* | lacme-accountd: new setting 'logfile' to log signature requests. | Guilhem Moulin | 2021-02-21 | 1 |
| | | | | Prefixed with a timestamp. | |||
* | lacme-accountd(1): base64url-decode incoming signature requests. | Guilhem Moulin | 2021-02-21 | 1 |
| | | | | Before printing them to the standard error. | |||
* | Add %-specifiers support. | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. | |||
* | lacme-accountd: Don't error out when the default configuration file is missing. | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | | Instead, treat it as an empty file. This makes it possible to use lacme-accountd(1) without configuration file under ~/.config/lacme. | |||
* | Use File::Basename::dirname(). | Guilhem Moulin | 2021-02-20 | 1 |
| | | | | | | To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’. | |||
* | accountd: replace internal option --conn-fd=FD with flag --stdio. | Guilhem Moulin | 2021-02-18 | 1 |
| | | | | | Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. | |||
* | Consolidate error messages for consistency. | Guilhem Moulin | 2021-02-18 | 1 |
| | ||||
* | Don't load configuration files from ./ by default. | Guilhem Moulin | 2021-02-18 | 1 |
| | | | | | | | This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories. | |||
* | Bump copyright years. | Guilhem Moulin | 2021-02-15 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2021-02-12 | 1 |
| | ||||
* | documentation: suggest to generate private key material with genpkey(1ssl). | Guilhem Moulin | 2020-12-09 | 1 |
| | | | | | * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported. | |||
* | Upgrade links to secure HTTP. | Guilhem Moulin | 2020-08-04 | 1 |
| | ||||
* | Makefile: Use variables for target directories etc. | Guilhem Moulin | 2020-08-04 | 1 |
| | ||||
* | Update copyright infoupstream/0.3 | Guilhem Moulin | 2017-07-09 | 1 |
| | ||||
* | Specify minimum required Perl versions. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | Ensure fdopen is called with an integer. | Guilhem Moulin | 2017-07-01 | 1 |
| | ||||
* | lacme(1), lacme-accountd(1): fix version number. | Guilhem Moulin | 2017-06-29 | 1 |
| | ||||
* | s/fd-conn/conn-fd/ | Guilhem Moulin | 2016-12-05 | 1 |
| | ||||
* | s/--fdopen/--fd-conn/ | Guilhem Moulin | 2016-12-03 | 1 |
| | ||||
* | Make lacme able to spawn lacme-accountd. | Guilhem Moulin | 2016-12-01 | 1 |
| | ||||
* | Add the short description in headers and manpages. | Guilhem Moulin | 2016-06-14 | 1 |
| | ||||
* | accountd: Don't mention "Let's Encrypt" in log messages. | Guilhem Moulin | 2016-06-14 | 1 |
| | ||||
* | Rename ‘letsencrypt-tiny’ to ‘lacme’. | Guilhem Moulin | 2016-06-13 | 1 |