| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
|
|
|
| |
versions.
OpenSSL 3.2 from Debian sid spews
Warning: Reading certificate from stdin since no -in or -new option is given
without an explicit `-in /dev/stdin`.
|
| |
|
|
|
|
|
|
|
|
|
| |
Domain names are case insensitive so it shouldn't matter, but Let's
Encrypt (staging) ACME server fails with
400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character)
if the sub-domain part of the subjectName is left all-caps.
|
| |
|
|
|
|
| |
See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org .
|
| |
|
|
|
|
|
|
|
|
|
| |
internal client.
So it doesn't have to parse the INI file again. Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.
|
| |
|
|
|
|
|
|
|
|
| |
restrictions.
Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.
|
|
|
|
|
|
|
|
|
| |
Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.
This change also saves a chown(2) call. And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.
|
|
|
|
| |
Due to unknown user/group name.
|
| |
|
| |
|
|
|
|
| |
And doesn't retain root privileges.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
“The JWS Protected Header is a JSON object” — RFC 7515 sec. 2.
“The JWS Protected Header MUST include the following fields:
- "alg"
- "nonce"
- "url"
- either "jwk" or "kid"”
— RFC 8555 sec. 6.2.
|
|
|
|
| |
Again…
|
| |
|
|
|
|
| |
The staging environment wasn't set properly for the Debian packages.
|
|
|
|
|
| |
This saves a round trip and provides a safeguard against malicious
clients.
|
| |
|
| |
|
| |
|
|
|
|
| |
Prefixed with a timestamp.
|
|
|
|
|
| |
It's an internal flag, but can be useful for authorized_keys(5)
restrictions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).
lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).
This also changes the default configuration file location. lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user. There is no fallback to /etc anymore.
|
|
|
|
|
|
|
| |
../../lacme/apache2.conf.
This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 .
|
|
|
|
| |
And add a test case for this.
|
|
|
|
| |
These tests are not interactive!
|
|
https://letsencrypt.org/docs/staging-environment/
|