| Commit message (Collapse) | Author | Age | Files |
|---|
| |
|
|
|
| |
Since we don't pin staging intermediate certificates anymore we drop the
test where the CA bundle contains only intermediates.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only). Only the root certificates are used as trust
anchor.
Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:
Rotating the set of intermediates we issue from helps keep the
Internet agile and more secure. It encourages automation and
efficiency, and discourages outdated practices like key pinning.
“Key Pinning” is a practice in which clients — either ACME clients
getting certificates for their site, or apps connecting to their own
backend servers — decide to trust only a single issuing intermediate
certificate rather than delegating trust to the system trust store.
Updating pinned keys is a manual process, which leads to an
increased risk of errors and potential business continuity failures.
— https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
|
| |
|
|
|
|
|
|
|
|
| |
versions.
OpenSSL 3.2 from Debian sid spews
Warning: Reading certificate from stdin since no -in or -new option is given
without an explicit `-in /dev/stdin`.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Domain names are case insensitive so it shouldn't matter, but Let's
Encrypt (staging) ACME server fails with
400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character)
if the sub-domain part of the subjectName is left all-caps.
|
| | |
|
| |
|
|
| |
See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org .
|
| | |
|
| |
|
|
|
|
|
|
|
| |
internal client.
So it doesn't have to parse the INI file again. Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.
|
| | |
|
| |
|
|
|
|
|
|
| |
restrictions.
Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.
|
| |
|
|
|
|
|
|
|
| |
Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.
This change also saves a chown(2) call. And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.
|
| |
|
|
| |
Due to unknown user/group name.
|
| | |
|
| | |
|
| |
|
|
| |
And doesn't retain root privileges.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
“The JWS Protected Header is a JSON object” — RFC 7515 sec. 2.
“The JWS Protected Header MUST include the following fields:
- "alg"
- "nonce"
- "url"
- either "jwk" or "kid"”
— RFC 8555 sec. 6.2.
|
| |
|
|
| |
Again…
|
| | |
|
| |
|
|
| |
The staging environment wasn't set properly for the Debian packages.
|
| |
|
|
|
| |
This saves a round trip and provides a safeguard against malicious
clients.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Prefixed with a timestamp.
|
| |
|
|
|
| |
It's an internal flag, but can be useful for authorized_keys(5)
restrictions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).
lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).
This also changes the default configuration file location. lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user. There is no fallback to /etc anymore.
|
| |
|
|
|
|
|
| |
../../lacme/apache2.conf.
This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 .
|
| |
|
|
| |
And add a test case for this.
|
| |
|
|
| |
These tests are not interactive!
|
|
|
https://letsencrypt.org/docs/staging-environment/
|
