aboutsummaryrefslogtreecommitdiffstats
path: root/lacme
Commit message (Collapse)AuthorAgeFiles
* Bump copyright years.Guilhem Moulin2021-02-151
|
* Add (self-signed) ISRG Roots to the CA bundle.Guilhem Moulin2021-02-151
| | | | | | | | | | | | | | | This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
* challenge-directory now needs to be set to an *existing* directory.Guilhem Moulin2021-02-141
| | | | | | | Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale.
* lacme: allow direct use challenge-directory .well-known/acme-challengeBenjamin Tietz2021-02-141
|
* lacme: new flag `--force`.Guilhem Moulin2020-12-091
| | | | | Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates.
* Make unprivileged user/group for the internal client resp. webserver ↵Guilhem Moulin2020-12-091
| | | | configurable.
* lacme: delay webserver socket shutdown.Guilhem Moulin2020-12-091
| | | | | | | | | | | To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458
* Use upstream certicate chain instead of an hardcoded one.upstream/0.7Guilhem Moulin2020-11-261
| | | | | | | | | | | | | This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).
* Upgrade links to secure HTTP.Guilhem Moulin2020-08-041
|
* Ignore [accountd] section from lacme.conf when the --socket option is defined.Guilhem Moulin2020-08-041
| | | | | This allows remotely-controlled lacme processes being controlled without modifying an config files. See https://bugs.debian.org/955767 .
* Makefile: Use variables for target directories etc.Guilhem Moulin2020-08-041
|
* Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.Guilhem Moulin2020-08-031
|
* Use /run for the listening socket of the webserver component.Guilhem Moulin2019-08-221
|
* lacme: new option 'account --deactivate'Guilhem Moulin2019-08-211
| | | | For client-initiated account deactivation. See RFC 8555 sec. 7.3.6.
* Call iptables binaries from /usr/sbin not /sbin.Guilhem Moulin2019-08-211
| | | | | | | As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. See /usr/share/doc/iptables/NEWS.Debian.gz .
* lacme, client: new dependency Date::Parse.Guilhem Moulin2019-01-211
|
* Use ACME v2 endpointsGuilhem Moulin2018-04-271
| | | | https://tools.ietf.org/html/draft-ietf-acme-acme-12
* Update copyright infoupstream/0.3Guilhem Moulin2017-07-091
|
* Bind webserver to /var/run/lacme-www.socket by default.Guilhem Moulin2017-07-081
|
* lacme: Specify minimum required Socket version 1.95.Guilhem Moulin2017-07-011
|
* Specify minimum required Perl versions.Guilhem Moulin2017-07-011
|
* Avoid hash slices.Guilhem Moulin2017-07-011
| | | | That's mostly what prevents us from supporting Perl older than 5.20.
* lacme(1), lacme-accountd(1): fix version number.Guilhem Moulin2017-06-291
|
* webserver: refuse to follow symlink when serving ACME challenge responses.Guilhem Moulin2017-06-291
|
* Change the default 'min-days' from 10 to 21.Guilhem Moulin2017-06-281
| | | | | | This avoids expiration notices from Let's Encrypt when auto-renewal is done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before expiration.
* new-cert: use File::Temp for the temporary cert filename.Guilhem Moulin2017-06-281
| | | | This ensures we aren't overwritting existing /path/to/srv.pem.new files.
* webserver: allow listening to multiple addresses.Guilhem Moulin2017-06-281
| | | | | | | | | | (Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the default to listen to a UNIX-domain socket </var/run/lacme.socket>. Moreover temporary iptables rules are no longer installed. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes.
* new-cert: create certificate files atomically.Guilhem Moulin2017-02-241
|
* new-cert: mark basicConstraints and keyUsage x509v3 extensions as critical ↵Guilhem Moulin2017-02-221
| | | | | | | in the CSR. Boulder's issue #565 "Golang errors on extensions marked critical" was fixed upstream, cf. https://github.com/letsencrypt/boulder/issues/565 .
* new-cert: new CLI option "min-days"Guilhem Moulin2017-02-191
|
* new-cert: sort section names if not passed explicitely.Guilhem Moulin2017-02-191
|
* Ensure lacme's config file descriptor has the FD_CLOEXEC bit set.Guilhem Moulin2017-02-191
|
* config-cert: import the default section of files already read.Guilhem Moulin2017-02-191
|
* wibbleGuilhem Moulin2017-02-191
|
* s/lacme-certs.d/lacme-certs.conf.d/upstream/0.2Guilhem Moulin2016-12-051
|
* "config-certs" now points to a list of files or directories.Guilhem Moulin2016-12-051
|
* s/fd-conn/conn-fd/Guilhem Moulin2016-12-051
|
* s/--fdopen/--fd-conn/Guilhem Moulin2016-12-031
|
* lacme: terminate the accountd when the ACME client terminates.Guilhem Moulin2016-12-011
|
* Revert "lacme: avoid spawning multiple accountd processes."Guilhem Moulin2016-12-011
| | | | | | This reverts commit 8faab5db6571972156f45b5838b23dbb0fadd5c4. We can't reuse the socket pair as we don't connect(2) to it.
* lacme: avoid spawning multiple accountd processes.Guilhem Moulin2016-12-011
|
* lacme: add an option --quiet to avoid mentioning valid certs.Guilhem Moulin2016-12-011
|
* Make lacme able to spawn lacme-accountd.Guilhem Moulin2016-12-011
|
* Stop mentioning GET-based renewal, as it was removed from the ACME IETF draft.Guilhem Moulin2016-11-301
| | | | | https://github.com/ietf-wg-acme/acme/issues/62 https://github.com/ietf-wg-acme/acme/pull/67 :-(
* Add link to Boulder issue #359 (Implement Certificate Refresh).Guilhem Moulin2016-06-301
|
* Add the short description in headers and manpages.Guilhem Moulin2016-06-141
|
* Rename ‘letsencrypt-tiny’ to ‘lacme’.Guilhem Moulin2016-06-131
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 01:32:19 +0000