| Commit message (Collapse) | Author | Age | Files |
| |
|
| |
|
|
|
|
| |
Prefixed with a timestamp.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).
lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).
This also changes the default configuration file location. lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user. There is no fallback to /etc anymore.
|
| |
|
| |
|
|
|
|
| |
Not that it make a difference since we don't run suid.
|
|
|
|
| |
This is needed for gpg-encrypted privkeys.
|
|
|
|
|
|
|
| |
configuration file.
One need to use the lacme-accountd(1) configuration file for that
instead.
|
|
|
|
|
|
|
|
| |
default value.
The previous default, namely /etc/lacme/lacme-accountd.conf, is still
honored when there is the user running lacme doesn't have a
~/.config/lacme/lacme-account.conf configuration file.
|
|
|
|
|
|
| |
To correctly extract the parent directory of the socket path. The
previous returned an empty string when the socket path didn't contain
‘/’.
|
|
|
|
|
| |
Using stdin/stdout makes it possible to tunnel the accountd connection
through ssh.
|
|
|
|
| |
This doesn't change the default behavior.
|
| |
|
|
|
|
| |
directory.
|
|
|
|
|
| |
Having both lacme(8) and its webserver component reading from the same
standard input could yield starvation.
|
|
|
|
|
| |
Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and
perserve $TERM), which matches the login(1) behavior.
|
| |
|
|
|
|
|
|
|
| |
This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer
consider ./lacme.conf resp. ./lacme-accountd.conf as default location
for the configuration file. Doing so has security implications when
running these program from insecure directories.
|
|
|
|
| |
This is mostly useful for OCSP Must-Staple.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to fully validate provided X.509 chains using that
self-contained bundle, regardless of which CAs is marqued as trusted
under /etc/ssl/certs.
Also, remove cross-signed intermediate CAs from the bundle as they're
useless in a self-contained bundle.
Also, remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.
This change bumps the minimum OpenSSL version to 1.1.0 (for
verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
|
|
|
|
|
|
|
| |
Since lacme(8) spawns a builtin webserver by default the change doesn't
affect default configurations.
See https://bugs.debian.org/970800 for the rationale.
|
| |
|
|
|
|
|
| |
Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the
expiration date of existing certificates.
|
|
|
|
| |
configurable.
|
|
|
|
|
|
|
|
|
|
|
| |
To after the process has terminated. This solves a race condition
spewing
accept: Invalid argument at /usr/libexec/lacme/webserver line 80.
(harmless) errors.
Closes: deb#970458
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a breaking change. The certificate indicated by 'CAfile' is no
longer used as is in 'certificate-chain' (along with the leaf cert).
The chain returned by the ACME v2 endpoint is used instead. This allows
for more flexbility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt
which is a concatenation of all known active CA certificates (which
includes the previous default).
|
| |
|
|
|
|
|
| |
This allows remotely-controlled lacme processes being controlled without
modifying an config files. See https://bugs.debian.org/955767 .
|
| |
|
| |
|
| |
|
|
|
|
| |
For client-initiated account deactivation. See RFC 8555 sec. 7.3.6.
|
|
|
|
|
|
|
| |
As of Buster this is the case, and the maintainer plans to drop
compatibility symlinks once Bullseye is released.
See /usr/share/doc/iptables/NEWS.Debian.gz .
|
| |
|
|
|
|
| |
https://tools.ietf.org/html/draft-ietf-acme-acme-12
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
That's mostly what prevents us from supporting Perl older than 5.20.
|
| |
|
| |
|
|
|
|
|
|
| |
This avoids expiration notices from Let's Encrypt when auto-renewal is
done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before
expiration.
|
|
|
|
| |
This ensures we aren't overwritting existing /path/to/srv.pem.new files.
|
|
|
|
|
|
|
|
|
|
| |
(Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the
default to listen to a UNIX-domain socket </var/run/lacme.socket>.
Moreover temporary iptables rules are no longer installed. Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables'
option to Yes.
|
| |
|
|
|
|
|
|
|
| |
in the CSR.
Boulder's issue #565 "Golang errors on extensions marked critical" was
fixed upstream, cf. https://github.com/letsencrypt/boulder/issues/565 .
|
| |
|